I'm in a scenario where there is a Blazor app that has to be protected.
This app need a login on local user store or external auth on google or Facebook or MS.
I have an ASP.NET Core project that expose all the API for this Blazor app. All API methods are protected with [Authorize] and this API project also implements the login API that generates the JWT token.
Whit a local login, the login page was on the Blazor app that called login API, managed the response retrieving the JWT and store it in local storage. For each request Blazor, app sent JWT token to the authorized API.
How to manage external authentication in this case? Is Blazor app that has to generate the call to Google, Facebook,... and then the google callback will call the API project to generate the JWT?
I cannot understand how to let the flow work, as API are protected by JWT, and I guess external authentication has to callback the API to generate the JWT, but I how to return back to the Blazor app?
I don't want to use Identity Server 4, but I could externalize login page in the API project.