RE: Blazor WASM auth

@dan @ethalacker and I actually got the whole login/logout working with FusionAuth and Blazor wasm!
The last thing we are struggling with is the login redirect.

Initially the login request is for an iframe and per the documentation FusionAuth includes a X-Frame-Options DENY. This iframe login fails in the browser, but then a full redirect is done and login works. We tried adding the request origin to the application configuration, per robotdan's suggestion in this stackoverflow post to cause FusionAuth to remove that header.

The authorized request origin URLs does not appear to cause the header to be removed in our tests.

Authorized request origin URLs Optional

    This optional configuration allows you to restrict the origin of an OAuth2 / OpenID Connect grant request. If no origins are registered for this application, all origins are allowed.

    By default FusionAuth will add the X-Frame-Options: DENY HTTP response header to the login pages to keep these pages from being rendered in an iframe. If the request comes from an authorized origin, FusionAuth will not add this header to the response. If you wish to load FusionAuth login pages in an iframe you will need to add the request origin to this configuration.

Thanks for your help and responses @robotdan!

@ethalacker and I have been going over this and we believe we understand why things are working the way they are.

The Origin header is not being sent by the Blazor authentication system which is based on odic-client.js. Since the requests are coming from ajax/XHR and the Sec-Fetch-Mode header is navigate, the browser will not include the Origin header according to the Fetch API. Thus there is not a header for Fusion Auth to check.

What I do find a bit confusing is the following. Why does Fusion Auth return the full login page html with an X-Frame-Options header with DENY, if it can see Sec-Fetch-Dest header is iframe and there is not a Origin header to check against the Authorized request origin URLs . It would make more sense to me to return a 302 redirect to the application login callback.

We have tested our application against several oidc providers, and the other providers do a 302 redirect to the application login callback.

Thanks for your help and responses @robotdan!

@ethalacker and I have been going over this and we believe we understand why things are working the way they are.

The Origin header is not being sent by the Blazor authentication system which is based on odic-client.js. Since the requests are coming from ajax/XHR and the Sec-Fetch-Mode header is navigate, the browser will not include the Origin header according to the Fetch API. Thus there is not a header for Fusion Auth to check.

What I do find a bit confusing is the following. Why does Fusion Auth return the full login page html with an X-Frame-Options header with DENY, if it can see Sec-Fetch-Dest header is iframe and there is not a Origin header to check against the Authorized request origin URLs . It would make more sense to me to return a 302 redirect to the application login callback.

We have tested our application against several oidc providers, and the other providers do a 302 redirect to the application login callback.

@dan @ethalacker and I actually got the whole login/logout working with FusionAuth and Blazor wasm!
The last thing we are struggling with is the login redirect.

Initially the login request is for an iframe and per the documentation FusionAuth includes a X-Frame-Options DENY. This iframe login fails in the browser, but then a full redirect is done and login works. We tried adding the request origin to the application configuration, per robotdan's suggestion in this stackoverflow post to cause FusionAuth to remove that header.

The authorized request origin URLs does not appear to cause the header to be removed in our tests.

Authorized request origin URLs Optional

    This optional configuration allows you to restrict the origin of an OAuth2 / OpenID Connect grant request. If no origins are registered for this application, all origins are allowed.

    By default FusionAuth will add the X-Frame-Options: DENY HTTP response header to the login pages to keep these pages from being rendered in an iframe. If the request comes from an authorized origin, FusionAuth will not add this header to the response. If you wish to load FusionAuth login pages in an iframe you will need to add the request origin to this configuration.