I am building a Blazor WASM app and I am struggling with the following:
I have a few Authorization policies dictated by the use of
@attribute [Authorize(Policy = "MyPolicy"]
Everything works great. The policies work fine - users who are authorized to access a certain page can get in whereas users who are not authorized to access a page get a message indicating such.
The issue becomes when I open a new browser window. My assumption (and I could very easily be wrong) is that if I am authenticated in one browser window and I open another browser window, my authentication & authorization persist.
What I have found is that the user is identified as authenticated but they cannot authorize.
Is there something I am missing in my assumption above?
To test the above I added Console.Writeln() commands to identify the claims (which is what enables the policies) but the claims in AuthenticationStateProvider are empty. The user appears Authenticated but not Authorized.
It's almost like my "session"/"cookies"(?) are tied to that one browser window. If that's the case then is there a way to set the session/cookies/token (whatever is the appropriate nomenclature) to be shared among browser windows?
If that's not possible what are my alternatives?
Thank you in advance!
I figured out the answer to this.
Azure AD B2C does not preserve custom claims. I’m not sure exactly why but when a new browser window is opened, the token does not contain the custom claims I include. The only way to get those custom claims is to log out and log back in. That is because I use an API connector to add the claims during sign in.
I was assuming that once the token had the custom claims, the browser would maintain but that indeed makes no sense so therefore the way to re-enrich the token claims is to - for example - call an API if there is a token and add the claims.