microsoft-identity-web icon indicating copy to clipboard operation
microsoft-identity-web copied to clipboard
verified publisher icon AzureAD

[Feature Request] Provide ability to custom the challenge url for MicrosoftIdentityConsentAndConditionalAccessHandler

Open Kumima opened this issue 1 year ago • 3 comments

Cause

For now, the challenge url used by MicrosoftIdentityConsentAndConditionalAccessHandler is hard coded as Constants.BlazorChallengeUri, and all the query parameters are also hard coded. It forces user to use the Microsoft.Identity.Web.UI.

Solution wanted

There can be many solutions for this, make MicrosoftIdentityConsentAndConditionalAccessHandler overridable, make some Interface things or provide some kind of option class to configure it. What I prefer is there should be an Interface for MicrosoftIdentityConsentAndConditionalAccessHandler.

Related

https://github.com/AzureAD/microsoft-identity-web/issues/2882

Kumima avatar Jan 13 '25 02:01 Kumima

What is your scenario? What developer experience would you like to have?

jmprieur avatar Jan 13 '25 02:01 jmprieur

@jmprieur , I want to be able to custom those things, and not all of the features of Microsoft.Identity.Web.UI is necessary for me, I don't want to rudely depend on it.

Kumima avatar Jan 13 '25 03:01 Kumima

I made a workaround that might help others. I upgraded a Blazor Web app to net9. The app is secured by AzureAd/Entra and uses Microsoft.Identity.Web with AddMicrosoftGraph as well as AddDownstreamApi.

I followed the BlazorWebAppEntra sample. This caused calls to GraphApi to fail because this route didn't exist: https://localhost/MicrosoftIdentity/Account/Challenge?redirectUri=XXXXX

Using app.MapControllers() allowed the Challenge to work properly, but then broke the sample app's customized routes for login and logout.

It did not seem to work to use both MapControllers and MapGroup at the same time.

Here is what I did that is working for both the Challenge and the customized login/logout endpoints:

//Program.cs

app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseAntiforgery();

app.MapGroup("/authentication").MapLoginAndLogout();
app.MapGroup("/MicrosoftIdentity/Account").MapChallenge();

The code for MapLoginAndLogout() is from the sample.

Here is the code for MapChallenge():

internal static class MsiwRouteBuilderExtensions
{
  internal static IEndpointConventionBuilder MapChallenge(this IEndpointRouteBuilder endpoints)
  {
      var group = endpoints.MapGroup(string.Empty);
      
      //Test further (someday) to find out if it is a get or post
      group.MapGet("/Challenge", ([FromQuery] string? returnUrl) => TypedResults.Challenge(GetAuthProperties(returnUrl),
          [CookieAuthenticationDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme]));
  
      group.MapPost("/Challenge", ([FromForm] string? returnUrl) => TypedResults.Challenge(GetAuthProperties(returnUrl),
          [CookieAuthenticationDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme]));
  
      return group;
  }
  
  // Prevent open redirects. Non-empty returnUrls are absolute URIs provided by NavigationManager.Uri.
  private static AuthenticationProperties GetAuthProperties(string? returnUrl) =>
      new()
      {
          RedirectUri = returnUrl switch
          {
              string => new Uri(returnUrl, UriKind.Absolute).PathAndQuery,
              null => "/",
          }
      };
}

Agree with this feature request that customizing the Constants.BlazorChallengeUri during the setup would be preferred.

jassent avatar Feb 23 '25 18:02 jassent