I have:

• asp.net core for backend which has access to db and other stuff
• Blazor wasm spa for website
• MAUI Balzor Hybrid for mobile app
• Razor RLC that is shared between the app and website
• Using new Identity endpoints on backend (also ef, custom AuthenticationStateProvider, etc.)

The idea is that I make a website and app from the same code. As in not having to write app and website seperately with one backend that work for both of them.

That worked good so far, but I’m stuck and confused in regards to authorization and authentication and how to implement it so that they both use the same backend and that they both can use external logins as well, such as Google, Apple, etc. I also want that user can stay logged in for longer periods, basically until they decide to log out. What would be the ideal way to go about this? And preferably to use Microsoft Identity features, I’m not really a security expert so I don’t want to experiment with my own implementations..

For Blazor Wasm (website) I can just do Identity cookies and that would probably work, but then apps can’t have cookies, so I would have to go with bearer tokens, but then blazor supposedly can’t securely store tokens if it’s not on server side, so where would I store them? I also had troubles adding services on backend for both cookies and bearer tokens. Or would Blazor Identity cookies just work on Blazor/MAUI Hybrid, since its all wrapped into webview? Microsoft in their guides often want you to make use of 3rd party identity providers which I very much do not want.

So I have already lost a lot of time on that and I’m unsure what to explore next and am afraid of losing even more time by going into wrong direction. There is a lot of info on the web, but alot of it is not for my case and a lot of it is outdated, it’s just one big mess as far as I’m concerned. And I didn’t even start looking into external login..

Can someone help? Am I missing something obvious?