This page does not describe authentication with "MS Account"

[ddobric]

The title of this page is "Secure an ASP.NET Core Blazor WebAssembly standalone app with Microsoft Accounts".
However, this page describes AAD authentication with the common endpoint.

Another question related to this is "Where is a description of how to authenticate with MS Account"?

Thanks in advance

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 9adb06ae-6ca0-9e47-1061-4458d807c770
• Version Independent ID: 2f556d47-42e8-8b09-e0cb-9d169acd6aa6
• Content: Secure an ASP.NET Core Blazor WebAssembly standalone app with Microsoft Accounts
• Content Source: aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md
• Product: aspnet-core
• Technology: aspnetcore-blazor
• GitHub Login: @guardrex
• Microsoft Alias: riande

[guardrex]

Hello @ddobric ... That's correct tho for this type of account. We don't want to get into the weeds here between AAD organizational accounts and MSA personal accounts; however, I feel that cross-linking to something in the Azure docs does make sense if I can find something good to cross-link. I'll see what I can scare up in the way of a good Azure resource on Thursday morning and get back to you.

Oh ... and for ...

Where is a description of how to authenticate with MS Account

This is it. This is our bare bones coverage for the WASM standalone scenario. Most of the general docs reside in the Azure doc set; so for more info, you'd want to search their doc set for all of the juicy details. They have quite a bit of detailed coverage, including their own sample apps.

[ddobric]

Thanks for quick answer @guardrex .

Regarding my second question, I'm not sure what you mean? I'm not looking for MS Account auth in general?
I', looking for Blazor authentication with MS Account. Where can I find that one if not on Blazor doc site like this one?

[guardrex]

Those aren't two different things: MS account auth in general is how Blazor apps authenticate users with MS accounts using the Microsoft.Authentication.WebAssembly.Msal API, project template, and Azure infrastructure. This is our, admittedly, bare bones coverage ... kind'a tutorial-like ... a walk-through type of topic. It is somewhat light on framework implementation and Azure details, which is why I was saying that you'd have to get into Azure docs for more information ... indeed ... one might even find themselves looking at the reference source in the product unit repo to see how the Blazor framework does its magic ✨ auth things in code. We just want a good happy path for devs to follow to get up and running, and we leave the details to their doc set to cover for MS Identity and Azure.

What I think I might be able to do here is track down one or two suitable links for these account types, organizational and personal, and set those here early so that readers can find their way over to more info. That's probably the best that I can do.

We often recommend to readers to discuss things on common support channels. Try these, which we frequently recommend ...

• Stack Overflow (tag: blazor)
• ASP.NET Core Slack Team
• Blazor Gitter

Leave this issue open ... it will close automatically when the PR merges later. I do hope to do something with cross-linking that will help clarify these scenarios.

[guardrex]

I think I see what you might be asking: Why is SingleOrg used for MSA? The organizational accounts 'work or school' and personal accounts use the same infrastructure AFAIK with the only difference being that instead of specifying the Tenant ID for the Authority, common is used and the supported account types are in any directory versus a single organization directory. Otherwise, I don't think that there's a difference ... at least not from an app config perspective.

You'll get better information from the Azure docs than from me, and I'll see in the morning what I can scare up to cross-link.

[guardrex]

It's an interesting historical subject. I did a quick search, and you can see several years ago how much confusion the two Identity systems were causing ...

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/cleaning-up-the-azuread-and-microsoft-account-overlap/ba-p/245105

It's especially disturbing that users would leave a company, have their 'work and school' organizational account get shutdown ... but then lose access to their personal account if they forgot their password. Ouch! 🙈 That was addressed tho.

[guardrex]

I took a look. The current opening cross-link is to ...

https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app#register-a-new-application-using-the-azure-portal

... as it includes the account types choices. Unfortunately, it doesn't address the "common" authority endpoint.

These have related info but not "common" endpoint information ...

• https://docs.microsoft.com/azure/active-directory/develop/v2-supported-account-types
• https://docs.microsoft.com/azure/active-directory/develop/quickstart-modify-supported-accounts

This is the only one that I've come across there that explains the different account types with the "common" endpoint ...

https://docs.microsoft.com/azure/active-directory/develop/scenario-web-app-sign-user-app-configuration?tabs=aspnetcore#configuration-files

// - "common" to sign in users with any work or school account or Microsoft personal account

... and I didn't recall this one (but I may have seen this years ago) ...

// - "consumers" to sign in users with a Microsoft personal account only

... and I haven't tried it, so I assume that it works as advertised.

I'll cross link the start of that node of their docs. Update: Nah ... I don't want to cross-link that because it's a web app and not for SPA scenarios, which is what this is.

I think for any coverage problems that pertain to that doc set that you'd need to open an issue and discuss it with them. Hopefully tho, these cross-links have given you some relevant additional information. I'll leave u with what I said at the outset: This is our bare bones tutorial-type coverage for Blazor WebAssembly standalone apps that authenticate users with Microsoft Accounts, and the Azure docs will need to resolve all of the detail for the scenario. We just want to get devs up and running with basic authn/z experiences here and not cover AAD/B2C in depth.

[ddobric]

@guardrex , thank you for your suggestion. In general the all OAuth story is too complicated. and we (all) need to do a better job There is no single sample for which one can be sure that it works. Internet I full of workarounds that after a few months do not work or even work with an invalid configuration.

I originally started this post by looking for a sample that shows how to authenticate in Blazor WASM by using MS Account. I still didn't find that sample. :)

If developers need to research for a feature like authenticate and authorize, then we failed. Even customers expect such features to be out of the box for free.

My observation is like:

services.AddFooAuth()
services.AddFooJwt()
services.AddFooBarer()
services.AddFooMsal()
services.AddFooAad()
config.UseFooFb()
config.UseFooGoogle()
config.UseFooOid()
config.UseFooGoogle()
.. options
.....options
.........options
............options
.. use
.. use

Also, the approach by different project templates is not satisfying. It is good for demos and learning paths. But the real-life looks different. The real-life project might start without authentication or with authentication AuthFoo. Then people change their decision to use AuthBar. So, what then? To create a new project from the correct template? The sad story is, that this is really the recommended way.

We should never forget that OAuth is in fact very simple thing designed to be simple.

config.UseFooAuth

It is kind of funny :)

My suggestion is to delete/refactor all Auth samples and start documentation from the begining.

[guardrex]

I haven't reached this node of the Blazor docs yet on my UE ("user experience," i.e., doc overhaul) pass tracked by #19286. I'll review your remarks and suggestions when I reach that node. This won't get lost, as I've cross-linked it on that issue. Thanks for providing your feedback.

[ddobric]

@guardrex thanks for your support. We are happy that there is somebody who will take care of this.