Aspnetcore: Provide a way to set loginHint in Blazor with AAD auth

Created on 17 Mar 2020 · 6Comments · Source: dotnet/aspnetcore

Some applications provide multiple alternative authentication methods for the user to choose from.

To discover the authentication method automatically the application may ask for user's email address and use it to redirect to correct authentication provider. When the user's email address is already known it should not be asked again by the authentication system.

The Azure AD and MSAL.js library provide the login_hint (AAD) and loginHint (MSAL.js) parameters that can be used to prefill the login email address. At the moment the Microsoft.Authentication.WebAssembly.Msal package doesn't offer any way to set the parameter.

MSAL.js docs
https://azuread.github.io/microsoft-authentication-library-for-js/docs/msal/modules/_authenticationparameters_.html#authenticationparameters

affected-very-few area-blazor blazor-wasm enhancement severity-blocking

Source

juho-hanhimaki

Most helpful comment

Hi,

I'd like to give a big +1 to adding loginHint support. We're working on a big Ignite announcement (March), that allows Conditional Access policy to be applied to parts of an app, like when sensitive files are accessed. I have a demo app using Blazor working with the feature and I want to highlight it, however the lack of support for loginHint is breaking the experience, because when the user is prompted to satisfy additional Conditional Access policies, they need to go through user selection again.

Current behavior
1) Alice signs in to Blazor app with username and password
2) Alice goes to sensitive part of Blazor app to view secret info
3) Before getting access, Alice is redirected back to Azure AD to satisfy additional Conditional Access policy ( I'll use multi-factor authentication as a policy requirement in this example)
4) Alice needs to select which account she wants to use (this is the step we need to get rid of with loginHint, the user context is already well established)
5) Alice completes multi-factor authentication and gains access to the sensitive app data.
4)

bakerCaleb on 6 Nov 2020

👍2

All 6 comments

Additionally, It would be useful to be able to supply the optional prompt parameter. I have cases where I would like to force a user to re-enter their credentials by using prompt=login.

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow#send-the-sign-in-request

WarrenCrabb on 18 Mar 2020

We've moved this issue to the Backlog milestone. This means that it is not going to happen for the coming release. We will reassess the backlog following the current release and consider this item at that time. However, keep in mind that there are many other high priority features with which it will be competing for resources.

mkArtakMSFT on 20 Mar 2020

Also need domain hint in addition to login hint. Would you reconsider prioritizing this? It would be a very easy enhancement, just exposing the hint fields that already exist upstream.

As it is now, users get a suboptimal experience of an extra unnecessary "choose your account" prompt when logging in. I can hear it now "Stupid site! I'm already logged in!"

Issue came from https://stackoverflow.com/questions/63605653/is-there-a-way-to-supply-a-domain-hint-for-single-sign-on-using-msal-net-on-a-bl

szalapski on 21 Oct 2020

"affected-very-few" seems dubious. It affects very few because very few are using Blazor for sites that require auth. This one would be a barrier to increased adoption.

szalapski on 21 Oct 2020

👍2

Hi,

bakerCaleb on 6 Nov 2020

👍2

I too want to reiterate how important this is for more fully featured enterprise SaaS apps. Blazor is starting to mature, but auth scenarios could use some more love.

Edit: accidentally closed this issue trying out The new github app. 😅

juho-hanhimaki on 6 Nov 2020

👍1

Was this page helpful?

0 / 5 - 0 ratings