Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a way to set loginHint in Blazor with AAD auth #19925

Closed
Tracked by #26364
juho-hanhimaki opened this issue Mar 17, 2020 · 11 comments
Closed
Tracked by #26364

Provide a way to set loginHint in Blazor with AAD auth #19925

juho-hanhimaki opened this issue Mar 17, 2020 · 11 comments
Labels
affected-very-few This issue impacts very few customers area-blazor Includes: Blazor, Razor Components enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly feature-blazor-wasm-auth severity-blocking This label is used by an internal tool
Milestone
7.0-rc1

Comments

@juho-hanhimaki
Copy link
Contributor

Some applications provide multiple alternative authentication methods for the user to choose from.

To discover the authentication method automatically the application may ask for user's email address and use it to redirect to correct authentication provider. When the user's email address is already known it should not be asked again by the authentication system.

The Azure AD and MSAL.js library provide the login_hint (AAD) and loginHint (MSAL.js) parameters that can be used to prefill the login email address. At the moment the Microsoft.Authentication.WebAssembly.Msal package doesn't offer any way to set the parameter.

MSAL.js docs
https://azuread.github.io/microsoft-authentication-library-for-js/docs/msal/modules/_authenticationparameters_.html#authenticationparameters
@javiercn javiercn added area-blazor Includes: Blazor, Razor Components feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly enhancement This issue represents an ask for new feature or an enhancement to an existing one labels Mar 18, 2020
@WarrenCrabb
Copy link

WarrenCrabb commented Mar 18, 2020
edited
Loading

Additionally, It would be useful to be able to supply the optional prompt parameter. I have cases where I would like to force a user to re-enter their credentials by using prompt=login.

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow#send-the-sign-in-request

@mkArtakMSFT mkArtakMSFT added this to the Next sprint planning milestone Mar 18, 2020
@javiercn javiercn mentioned this issue Mar 18, 2020
Closed
6 tasks
@mkArtakMSFT
Copy link
Member

We've moved this issue to the Backlog milestone. This means that it is not going to happen for the coming release. We will reassess the backlog following the current release and consider this item at that time. However, keep in mind that there are many other high priority features with which it will be competing for resources.

@javiercn javiercn mentioned this issue Mar 26, 2020
Merged
@javiercn javiercn added affected-very-few This issue impacts very few customers severity-blocking This label is used by an internal tool labels Oct 9, 2020 — with ASP.NET Core Issue Ranking
@szalapski
Copy link

Also need domain hint in addition to login hint. Would you reconsider prioritizing this? It would be a very easy enhancement, just exposing the hint fields that already exist upstream.

As it is now, users get a suboptimal experience of an extra unnecessary "choose your account" prompt when logging in. I can hear it now "Stupid site! I'm already logged in!"

Issue came from https://stackoverflow.com/questions/63605653/is-there-a-way-to-supply-a-domain-hint-for-single-sign-on-using-msal-net-on-a-bl

@szalapski
Copy link

"affected-very-few" seems dubious. It affects very few because very few are using Blazor for sites that require auth. This one would be a barrier to increased adoption.

@jennyf19 jennyf19 mentioned this issue Nov 6, 2020
Closed
@bakerCaleb
Copy link

Hi,

I'd like to give a big +1 to adding loginHint support. We're working on a big Ignite announcement (March), that allows Conditional Access policy to be applied to parts of an app, like when sensitive files are accessed. I have a demo app using Blazor working with the feature and I want to highlight it, however the lack of support for loginHint is breaking the experience, because when the user is prompted to satisfy additional Conditional Access policies, they need to go through user selection again.

Current behavior

  1. Alice signs in to Blazor app with username and password
  2. Alice goes to sensitive part of Blazor app to view secret info
  3. Before getting access, Alice is redirected back to Azure AD to satisfy additional Conditional Access policy ( I'll use multi-factor authentication as a policy requirement in this example)
  4. Alice needs to select which account she wants to use (this is the step we need to get rid of with loginHint, the user context is already well established)
  5. Alice completes multi-factor authentication and gains access to the sensitive app data.

@juho-hanhimaki
Copy link
Contributor Author

juho-hanhimaki commented Nov 6, 2020
edited
Loading

I too want to reiterate how important this is for more fully featured enterprise SaaS apps. Blazor is starting to mature, but auth scenarios could use some more love.

Edit: accidentally closed this issue trying out The new github app. 😅

@juho-hanhimaki juho-hanhimaki reopened this Nov 6, 2020
@oppknox
Copy link

oppknox commented May 10, 2021

"affected-very-few" seems dubious. It affects very few because very few are using Blazor for sites that require auth. This one would be a barrier to increased adoption.

The list is growing. Lets get on this please!

@captainsafia captainsafia mentioned this issue May 17, 2021
Closed
@DnlCYan
Copy link

DnlCYan commented Aug 5, 2021

I would like to reinforce the need to add login_hint functionality.
For what I seen from the code, it's very easy to add it.
Like it's Prompt added
Prompt = properties.GetParameter<string>(OpenIdConnectParameterNames.Prompt) ?? Options.Prompt,

Though, better solution is to map AuthenticationProperties.Parameters directly to OpenIdConnectMessage.Parameters at OpenIdConnectMessage creation. This solve all missing parameters, including login_hint and domain_hint.

Until this is fixed, my solution was to create and use my own OpenIdConnectHandler extending the original one, and fix HandleChallengeAsync method so that it can handle parameters correctly.

@hepshaw
Copy link

hepshaw commented Aug 5, 2021

Also need domain hint in addition to login hint. Would you reconsider prioritizing this? It would be a very easy enhancement, just exposing the hint fields that already exist upstream.

As it is now, users get a suboptimal experience of an extra unnecessary "choose your account" prompt when logging in. I can hear it now "Stupid site! I'm already logged in!"

Issue came from https://stackoverflow.com/questions/63605653/is-there-a-way-to-supply-a-domain-hint-for-single-sign-on-using-msal-net-on-a-bl

Add the following just under services.AddAuthentication(...) to add domain_hint

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));

        services.Configure<MicrosoftIdentityOptions>(options =>
        {
            options.Events.OnRedirectToIdentityProvider = context =>
            {
                context.ProtocolMessage.SetParameter("domain_hint", "YOUR DOMAIN");
                return Task.FromResult(0);
            };
        });

@javiercn javiercn mentioned this issue Nov 5, 2021
Closed
@syska
Copy link

syska commented Feb 1, 2022
edited
Loading

Add the following just under services.AddAuthentication(...) to add domain_hint

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));

        services.Configure<MicrosoftIdentityOptions>(options =>
        {
            options.Events.OnRedirectToIdentityProvider = context =>
            {
                context.ProtocolMessage.SetParameter("domain_hint", "YOUR DOMAIN");
                return Task.FromResult(0);
            };
        });

This is for services.AddAuthentication ... but what if Msal is being used with services.AddMsalAuthentication ...

Do you also have some magic tricks here? I have been searching the web and I keep coming back to the same few issues about this.

Do note, this is used with Blazor WASM.

@javiercn javiercn mentioned this issue Jul 5, 2022
Closed
@javiercn
Copy link
Member

This is covered by #42580

@javiercn javiercn removed this from the Backlog milestone Aug 23, 2022
@javiercn javiercn added this to the 7.0-rc1 milestone Aug 23, 2022
@guardrex guardrex mentioned this issue Sep 7, 2022
Closed
8 tasks
@ghost ghost locked as resolved and limited conversation to collaborators Sep 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
affected-very-few This issue impacts very few customers area-blazor Includes: Blazor, Razor Components enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly feature-blazor-wasm-auth severity-blocking This label is used by an internal tool
Projects
None yet
Milestone
7.0-rc1
Development

No branches or pull requests
10 participants
@syska @szalapski @bakerCaleb @javiercn @juho-hanhimaki @oppknox @mkArtakMSFT @WarrenCrabb @DnlCYan @hepshaw