Skip to content

[.NET 10] Add .NET MAUI Blazor Hybrid sample using Entra workforce ID#2

Closed
mattleibow wants to merge 7 commits intomainfrom
dev/maui-blazor-web-workforce-10
Closed

[.NET 10] Add .NET MAUI Blazor Hybrid sample using Entra workforce ID#2
mattleibow wants to merge 7 commits intomainfrom
dev/maui-blazor-web-workforce-10

Conversation

@mattleibow
Copy link
Copy Markdown
Owner

@mattleibow mattleibow commented Apr 17, 2026

Add a complete .NET MAUI Blazor Hybrid + ASP.NET Core Web App sample that authenticates against a Microsoft Entra workforce (business) tenant using MSAL.NET and Microsoft.Identity.Web.

Architecture

Project Description
MauiBlazorWebEntraWorkforce .NET MAUI Blazor Hybrid app (Android, iOS, Mac Catalyst, Windows)
MauiBlazorWebEntraWorkforce.Shared Razor Class Library with shared UI components
MauiBlazorWebEntraWorkforce.Web ASP.NET Core Blazor Server web app + API

Key features

  • Dual auth: OIDC + Cookie for web browser, JWT Bearer for MAUI API calls
  • WAM broker integration on Windows for SSO with workforce accounts
  • Mac Catalyst workaround using ASWebAuthenticationSession (MSAL lacks maccatalyst TFM)
  • SecureStorage token cache persistence on Windows and Mac Catalyst
  • Interactive PowerShell setup/teardown scripts for Azure app registrations
  • Open-redirect protection on login endpoint

Relationship to dotnet#649

This is the workforce tenant counterpart to the External ID (CIAM) sample in dotnet#649. Key differences:

  • Authority: login.microsoftonline.com/{tenantId} instead of {tenant}.ciamlogin.com
  • No self-service registration (workforce users are admin-managed or invited)
  • WAM broker enabled on Windows (supports workforce SSO)
  • preferred_username claim instead of CIAM emails claim

mattleibow and others added 7 commits March 17, 2026 09:03
@mattleibow
Add .NET 10 MauiBlazorWebIdentity sample (dotnet#647)
5aeb2f1 
* Add .NET 10 MauiBlazorWebIdentity sample

Copied 9.0/MauiBlazorWebIdentity and upgraded to .NET 10 with:
- All TFMs and packages updated to net10.0/10.0.2
- Identity Schema v3 with passkey support (PasskeySubmit, Passkeys, RenamePasskey)
- NotFound page with UseStatusCodePagesWithReExecute
- ReconnectModal component
- All identity pages updated from official .NET 10 template
- Cross-platform DB: SQL Server on Windows, SQLite on macOS/Linux
- Bootstrap updated to lib/bootstrap/dist/ (full dist from template)
- App.razor: ResourcePreloader, ImportMap, @assets refs
- Removed IdentityUserAccessor (replaced by RedirectToInvalidUser)
- Removed Tizen platform target
- Preserved all MAUI client auth behavior unchanged

* Rename projects: MauiBlazorWeb → MauiBlazorWebIdentity

- Solution: MauiBlazorWebIdentity.sln (was MauiBlazorWeb.sln)
- Shared: MauiBlazorWebIdentity.Shared (was MauiBlazorWeb.Shared)
- Web: MauiBlazorWebIdentity.Web (was MauiBlazorWeb.Web)
- MAUI: MauiBlazorWebIdentity (was MauiBlazorWeb)
- Removed unnecessary nested MauiBlazorWeb/ subfolder
- All namespaces updated to match
- Differentiates from the non-identity 9.0/MauiBlazorWeb sample

* Fix MAUI build: restore AddMauiBlazorWebView API name, update package versions

- AddMauiBlazorWebView() was incorrectly renamed during global namespace replace
- MAUI packages updated to 10.0.10 (actual available version)
- Microsoft.Extensions.Logging.Debug set to 10.0.0

* Fix nav and CSS to match .NET 10 template

- Add missing 'nav' CSS class to <nav> element in both Web and MAUI NavMenu.razor
- Update MAUI MainLayout.razor.css: add 'color-scheme: light only;'
- Update MAUI NavMenu.razor.css: height -> min-height

* Simplify to SQLite only

Remove conditional SQL Server/SQLite logic — this is a sample app,
no need for cross-platform DB complexity. SQLite works everywhere.

* Fix 401 on logout: use DefaultChallengeScheme pattern from 9.0

AddIdentityApiEndpoints sets DefaultScheme to BearerAndApplicationScheme
(composite scheme for both bearer tokens and cookies). Setting DefaultScheme
to ApplicationScheme overrides this and breaks API auth for MAUI clients.

Instead, only override DefaultChallengeScheme to ApplicationScheme (cookie),
which redirects to /Account/Login on auth challenge while preserving the
composite scheme for authentication. This matches the documented pattern
from MS Learn for MAUI Blazor Hybrid + Identity apps.

* Fix NotFound page to use MainLayout for both Web and MAUI

- Move NotFound.razor from Shared to Web project with @layout MainLayout
  so UseStatusCodePagesWithReExecute renders it with the sidebar/nav
- Create MAUI-specific NotFound.razor with @layout MainLayout since
  Router's NotFoundPage renders outside <Found> (no DefaultLayout)
- Update both Routes.razor to reference their local NotFound pages
- Remove Shared NotFound.razor to avoid ambiguous route matching

* Fix MAUI login styling, SecureStorage entitlements, and Remember Me

- Style MAUI Login.razor to match web login (form-floating, btn-lg)
- Add Remember Me checkbox with conditional token persistence
- Add keychain-access-groups entitlement for Mac Catalyst SecureStorage
- Extract TokenStorage.DeserializeToken for memory-only token path

* Fix edge-to-edge safe area handling for Android and iOS

Make safe area CSS rules universal instead of iOS-only (@supports
-webkit-touch-callout). This enables proper safe area handling on
Android 15+ (API 35+) which enforces edge-to-edge rendering, causing
the app content to render behind the status bar.

Changes:
- Remove @supports (-webkit-touch-callout: none) wrapper so safe area
  rules apply to both Android and iOS
- Change status bar background from #f7f7f7 to rgb(3, 23, 62) to match
  the sidebar navbar color (gradient start rgb(5,39,103) composited with
  the top-row overlay rgba(0,0,0,0.4))
- Apply env(safe-area-inset-left) universally for landscape orientation
  sidebar padding on both platforms

See: dotnet/maui#34462

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@guardrex
Change project names/namespaces (drop "Identity") (dotnet#650)
b29a913
@guardrex
Update PowerShell example to Blazor 10.0 (dotnet#651)
2e1b87d
@guardrex
Update movie dB samps dB name (dotnet#652)
09bb67e
@guardrex
Drop MapBox access token from samples (dotnet#653)
4e9ebd5
@guardrex
Add V1/V2 STS token remarks (dotnet#655)
f4d75ca
@mattleibow
[.NET 10] Add .NET MAUI Blazor Hybrid sample using Entra workforce ID
21ec58c 
Add a complete .NET MAUI Blazor Hybrid + ASP.NET Core Web App sample
that authenticates against a Microsoft Entra workforce (business)
tenant using MSAL.NET and Microsoft.Identity.Web.

Three projects:
- MauiBlazorWebEntraWorkforce: MAUI app (Android, iOS, Mac Catalyst, Windows)
- MauiBlazorWebEntraWorkforce.Shared: Razor Class Library with shared UI
- MauiBlazorWebEntraWorkforce.Web: ASP.NET Core Blazor Server web app + API

Includes:
- Interactive setup/teardown PowerShell scripts for Azure app registrations
- Dual auth: OIDC+Cookie for web, JWT Bearer for MAUI API calls
- WAM broker integration on Windows for SSO
- Mac Catalyst workaround using ASWebAuthenticationSession
- SecureStorage token cache persistence on Windows and Mac Catalyst

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@mattleibow mattleibow closed this Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mattleibow @guardrex