Cancelling new user signup in Azure AD B2C redirects to sites home page, produces "AuthorizationFailed" error

Question

I have a Blazor Hosted WASM application, and am using Azure AD-B2C to secure it. If a user who is not logged in tries to access any site on the page, they are directed to our b2c login page, as they should be, and if they supply a good username and password they are allowed to view the site. So far so good. However, if the user clicks on "Sign up now", and then cancels the signup process instead of providing a new username, password, and e-mail address, then they are redirected to the site's landing page (as if they had provided a good username and password), which fails to redirect them back to the b2c login page and produces a console message reading "info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2] Authorization failed. These requirements were not met: DenyAnonymousAuthorizationRequirement: Requires an authenticated user"

The documentation suggests that I access the app's manifest and set the allowPublicClient attribute to null or true to address this problem. I have done this, and the problem persists. Why isn't the user being redirected back to the B2C login page in this case, when they normally would be if they try to access any page on the site (including this landing page) in other cases?

Answer 1

This is an old thread but wanted to provide an updated answer specifically for Blazor WASM using Azure AD-B2C. If you use the standard template for Microsoft MSAL authentication, you will have an Authentication.razor page that looks like this:

@page "/authentication/{action}"
@using Microsoft.AspNetCore.Components.WebAssembly.Authentication

<RemoteAuthenticatorView Action="@Action" />

@code{
    [Parameter] public string? Action { get; set; }
}

When your app authenticates it routes to this page with a login action, something like this:

Navigation.NavigateTo($"authentication/login?returnUrl={Uri.EscapeDataString(Navigation.Uri)}");

When the login is successful AD-B2C routes back to this page with a login-callback action, probably from your AD-B2C app Redirect URL, and it automatically redirects to the returnUrl:

authentication/login-callback

If the login is not successful, say if the user cancelled the login, then the action is login-failed, but there is no redirect set for this case. To add one, you can modify the Authentication.razor page to look for the login-failed action on a subsequent render, and add a redirect, having first injected NavigationManager:

@page "/authentication/{action}"
@using Microsoft.AspNetCore.Components.WebAssembly.Authentication
@inject NavigationManager Navigation

<RemoteAuthenticatorView Action="@Action" />

@code{
    [Parameter] public string? Action { get; set; }

    protected override void OnAfterRender(bool firstRender)
    {
        if (!firstRender)
        {
            if (Action == "login-failed")
            {
                Navigation.NavigateTo($"/");
            }
        }
    }
}

In this case it is redirecting to the default Index, but you could add any valid redirect path in NavigateTo. The routing is managed on the App.razor file using <AuthorizeRouteView> tags, that should be setup by the default template. I have seen other posts that show the different methods of either securing the whole app, specific pages, or specific parts of a page (for example using <AuthorizeView> tags).