Looking for a discussion on how to perform unobtrusive step-up authentication in blazor web (.net8). I'm specifically trying to do this with Duende idp, but I would assume it would apply to all OIDC providers. I used this as my starting point:https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/UserInteraction/StepUp
This is fine if you are just trying to put step-up requirements on pages, but it would be nice to also put requirements on API endpoints. The step-up handler in the sample will ChallengeAsync which will redirect out to idp for Step-up authentication. I want to do this without redirecting the browser since it destroys the page/component states and blazor has to reload on the callback.
My first thought is to open a child popup window via javascript, have the child page open to a server page that executes the ChallengeAsync. ChallengeAsync redirects the popup window to idp for step-up then callback happens in popup window which then sets the new auth cookie. The popup window is the same domain as the blazor app so the Auth cookie should be shared with the parent blazor app in the browser. This was also the idea I found here with no solution from MS:https://github.com/dotnet/aspnetcore/issues/32906
Only thing I can think of is to pass the mfa requirement response all the way to the UI component which can then execute the javascript window.open to make the pop-up. It would be nice to not have the UI component be responsible for this, but I don't see how you can access JS without being in the UI component context and it seems JS is needed to create the popup window.
The other issue it looks like I'll run into is even though the auth cookie would get updated from the popup. The blazor AuthenticationState would not refresh without a page reload. This seems to be something that is not easily accomplished in MS's design of the AuthenticationStateProvider. See discussion here:https://github.com/dotnet/aspnetcore/issues/49176
Just trying to consolidate a place for guidance on some way to perform an unobtrusive challengeAsync in blazor. In my case, I'm doing this to allow APIs to have step-up requirements without breaking the blazor application state. Has anyone accomplished this?