Blazor auth: Remove parts referring to localhost Redirect URI port numbers

[yugabe]

The part about providing the port number for the localhost redirect UI in the "Register an AAD B2C app:" section is not needed, as localhost addresses are handled differently. It might make this part of the docs a bit easier to consume.

On the Azure Portal's relevant section (B2C tenant, AAD B2C -> App Registrations -> Select one -> Authentication -> Single Page Application), there is a link: Learn more about Redirect URIs and their restrictions

On the linked page, there is a section regarding localhost port numbers:

Redirect URI (reply URL) restrictions and limitations

[...]

Localhost exceptions

Due to ephemeral port ranges often required by native applications, the port component (for example, :5001 or :443) is ignored for the purposes of matching a redirect URI. As a result, all of these URIs are considered equivalent: http://localhost/MyApp http://localhost:1234/MyApp http://localhost:5000/MyApp http://localhost:8080/MyApp [...]

---

It could simply be stated that no port number needs to be set for localhost URIs, and the above could be linked for more information.

The port numbers are referred again later in the same docs as reminder to set it if it was randomized in the process.

This could simplify all pages that use client-side auth via AAD or AAD B2C.

Additionally, I think it should be noted that all public redirect URIs (like custom domains) should be added here, and it can be added later without issue.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: ce89fc06-2c18-fbf8-0ac5-f50d41a67d8a
• Version Independent ID: 490b7aec-0d31-9032-cb1d-ffcdfea5c976
• Content: Secure an ASP.NET Core Blazor WebAssembly standalone app with Azure Active Directory B2C
• Content Source: aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @guardrex
• Microsoft Alias: riande

[guardrex]

Hello @yugabe ... Curious ... did you open this using the This page button and form from the bottom of the topic? Our automated labeling system seems to have failed to label it properly.

[yugabe]

Hi @guardrex. Yes, I used the link on the bottom of the page.

[guardrex]

Hum ... strange. No worries. I just hope it doesn't start constantly failing. It's been great having all of the labels automatically applied.

I'm out of sick leave today due to a dental procedure yesterday ... I'm getting a shiny new tooth to replace one that rotted out of my head! 🤕😆 All good tho ... Dr. Laggen and his staff in Pensacola did a great job! 100% painless! Still tho, he wants me chill'in for a day to recover. I'll take a look at this tomorrow (Thursday).

[yugabe]

Hah, dentists... 😰 No worries, no hurries. It's just that the whole B2C/auth part is the toughest of all the stack imo, so improving this part even by a bit might go a long way.

It sucks this probably relates to multiple pages, as there are some redundancies, but all's for a good cause, I swear.

[guardrex]

Hah, dentists... 😰

Yeah! I was a bit stressed out over it ... BUT ... within 15 minutes of arriving, I was knocked out. Immediately after awaking after what seems like mere seconds, I was being wheeled out in a wheelchair to the car. I didn't even feel the IV get placed because the assistant was so good at it. I have one more major procedure for this tooth ... the titanium post about seven months from now ... but have NO concerns or stress over it based on the smooth, no pain experience yesterday of getting that rotten tooth out of my head! 😆

There's a rumor that they'll look at the entire Blazor security design for an upcoming release (.NET 8, perhaps). They might be able to create a new API with more baked-in simplicity to get everything wired up.

We might also be dropping some or most of these Blazor AAD/B2C/Graph API docs in favor of the Azure/MS Identity and Security docs because we're duplicating a lot of coverage that they maintain. Also, they're better at security than I am in some ways. I prefer writing at a lower level. I prefer more gotchas 😈 and TIPS! in the docs. I prefer hybrid-style security docs that have both reference content (facts and API discussion) AND tutorial content (step-by-step to get a successful experience). For those reasons, I like these docs here. Over in Azure docs and MS Identity/Security docs, they don't have this type of coverage. However, we are duplicating a lot of coverage, and it's costly 💰 to maintain. I was going to perform one of my total overhauls ⛏️🗻 on the security node, but it's obvious that it will take me a full month to do that. With the potential of a total PU Blazor security overhaul in the coming years, we decided not to invest the 💸 treasure on it. It's just too expensive. I'll perform a quick, light pass instead, and we might cut some/most of the coverage when I do.

These are easy/quick updates to make that you're suggesting, and I think we should work your suggestions in to the docs. For example in addition to what you're suggesting on the port number, it's trivial to add a couple of sentences there for the redirect URI like ...

If you know the production redirect URI for the Azure default host (for example, `azurewebsites.net`) or the custom domain host (for example, `contoso.com`), you can also add the production redirect URI at the same time that you're providing the localhost redirect URI. Be sure to include the port number for non-`:443` ports in any production redirect URIs that you add.