I have an application where users will login using AddMsalAuthentication for Entra(Azure AD) this works fine. Within the application on certain pages users are to authenticate against our helpdesk using oidc, getting an auth token so API calls can be made.
I got this working by implementing my own AuthorizeView, AuthenticationStateProvider and RemoteAuthenticatorView to which seems to work but I question if I should be doing this. I'm concerned over security around this and I've been doing more research on this to see if I can use AddOidcAuthentication within the program.cs but looks to not be the way.
I thought maybe I could build another blazor wasm app that the user is navigated to where I can then use AddOidcAuthentication to manage authentication and token refresh. I feel this will be clunky and possibly the wrong direction also.
Implementing custom
AuthorizeView,AuthenticationStateProvider, andRemoteAuthenticatorViewoffers flexibility but requires careful handling of security aspects like token management.Regarding your idea to create a separate Blazor wasm app for handling the OIDC authentication with your helpdesk system, it has its advantage and drawback. first is it will make the authentication flow simple as you will separate with different app. and another advantage will be both app handle its own configuration without interfering other authentication. as a disadvantage users might find the navigation between apps for authentication purposes clunky or confusing. managing sessions and token might be difficult between two apps.
In my opinion creating another Blazor WASM app for handling the OIDC authentication for your helpdesk might indeed feel clunky and could introduce additional complexity without necessarily improving security or user experience.
as alternative approach you could use Azure AD as a centralized identity provider that federates with your helpdesk's OIDC provider. Implement an API gateway or a custom STS that handles authentication with both Azure AD and your helpdesk OIDC.
A more streamlined approach would involve minimizing the number of different authentication flows users need to navigate through and centralizing authentication logic as much as possible. This might mean federating your OIDC providers through Azure AD or implementing a service that abstracts these details away from your Blazor application. consider using existing libraries, patterns, and practices for managing user authentication and session management securely.