Live Change to Authorization Middleware
Hi all,
I'm working on a Blazor WASM application. One of the features I want out of my app is for admins to be able to add external auth providers on the fly. For instance, they can go into the admin panel and turn on Google authentication, and now when people click the sign in/sign up button, they see a button that says "sign in with your google account" - fairly standard oauth flow.
The part I'm not sure on is how to accomplish the live service change.
I know I'm going to need custom auth middleware, but is what I'm looking for possible without reloading the entire application?
If not, what is a reliable xplat way to restart a Blazor WASM app?
2 Replies
I don't see why this requires shuffling the service config at runtime. Just have all the auth providers registered, but have them skipped during lookup if they're disabled.
@TheBrambleShark
Part of the intent here is to have a few built in providers (google, Microsoft, etc.) buy also allow for custom oauth or saml clients.
I imagine setup-wise, the built in ones would likely just be the same generic oauth client, but with a slimmed down wizard in the admin portal due to some knowledge being well known.
The idea is people can add as many custom providers as they want or need for their particular scenario. The predefined options are there to help but with the exception of adding protocol support (like a hypothetical oauth 3), I don't want any developer involvement.
So, everything should be driven by the generic oauth2 provider looking up required info in the database.
I am a bit wary about storage here but other solutions like WordPress work this way.
That said, PHP and ASP.NET are very different things
The exact implementation is something I want to figure out, but I think I have three main goals:
1. No developer involvement needed. Custom providers should be able to be created and modified via a form on the admin portal.
2. Common defaults should be provided for ease of use.
3. One or more custom providers may be added as needed.
I could absolutely do a hybrid approach here - add but disable the built in ones (google, etc.) until enabled by an admin, then have a separate system just for custom connections be that via oauth, saml, or whatever other protocol. Some may need to auth via less common services or even custom ones like Keycloak