Enable Cross-Browser SSO in Blazor WASM with Azure B2C and IAccessTokenProvider

[annLiu310]

I'm facing a challenge with a Blazor WebAssembly (WASM) application that integrates with an Azure AD B2C application for authentication, utilizing IAccessTokenProvider for handling access tokens. Our setup currently leverages Azure B2C user flows to support Single Sign-On (SSO) and Keep Me Signed In (KMSI) capabilities, which work seamlessly within the same browser.

We want the application to automatically recognize a user's login state across different browsers. For instance, if a user completes the login process in Chrome, we aim for the application to automatically log them in when they access it from Firefox, without requiring them to manually authenticate again.

Is it possible to enable Cross-Browser SSO in Blazor WASM with Azure B2C and IAccessTokenProvider?

[josephdecock]

This is a fundamentally impossible requirement, not specific to the choice of technology or identity provider. The basic difficulty is that sessions in web applications are based on cookies, and cookies are not shared between browsers.

When you get a single sign on experience, the reason it works is that a cookie-based session was established at the external identity provider (Azure B2C in this case) during the first login. When additional applications want to login, they redirect to Azure B2c and the browser sends the session cookie in that request. Then - using that cookie - the identity provider is able to authenticate the incoming request, see that there is an existing session, and immediately send tokens to the application without prompting the user to sign in. When you go across devices or browsers, or even open an incognito/private window of the same browser - anything that has distinct cookies - you can't get a single sign on experience.

The good news is that most users won't expect to get a single sign on experience across browsers. There isn't some limitation of your setup specifically that doesn't apply to other applications, so no one will say, "Look at Google/Facebook/Twitter/Amazon - they can do it!" because they don't (and literally can't).

[annLiu310]

Is it possible to use implicit authentication to bypass login page? For example,if a user completes the login process in Chrome, then with a specific token in URL, we aim for the application to automatically log them in when they access it from Firefox.

[josephdecock]

Theoretically an identity provider could create a session from a magic link. Doing so raises the question of, how are you getting that magic link into the other browser? Probably you would send the link over email, and that raises some security concerns, and you would want to think about your threat model and make a careful decision about if this was what you wanted to do. Additionally, this sort of approach makes single sign OUT much more challenging, because traditionally/most easily single sign out is implemented using front channel (browser) requests and cookies, and would only work within one browser. Back-channel logout notifications could be used instead, but that would require a server side session store at each client application and the identity provider.

And this is all theoretical-in practice you'd have to check if B2C actually supports a mechanism for "magic links", server side sessions, and back-channel logout notifications - I don't think they actually support all of that, but I mostly work with other identity providers.