Miss a strategy to handle the refresh of tokens #19797
Comments
dotnet-bot
added
⌚ Not Triaged
Blazor
Source - Docs.ms
|
As far as I know Blazor Server is a server side application and the secrets are never threated on the client. This is opposite to Blazor WebAssembly where, I'm with you, we should never handle secrets and thus, the oauth implicity flow is then used (no client secret, no refresh_token, etc) The linked article do refer to Blazor Server and for completeness the refresh_token workflow worth to be covered... |
|
Oh ... sorry about that @andmig-ilty ... I did misinterpret the issue. I'm buried in a thorny issue elsewhere, and it takes just about all of my (small) brain to process it. 😖 Yes, we don't show that ... yet anyway. I'll put this on the Blazor project for triage for further discussion. |
|
It might take a week (or a few) to get to this. The engineers on the product unit are all 🏃😅 like crazy right now working on the .NET 5 release for RC1. I'll see after RC1 lands if we can get a remark from them on what they'd like to show. You're welcome to post your suggestion here for discussion if you want. |
@javiercn ... @andmig-ilty is asking if we can add content + example code for Blazor Server automatic token refresh using the refresh token in btw- I checked our regular Security & Identity node topics, but I don't see a good specific topic for this scenario. I've also looked at the (new) Azure examples+docs but didn't find a good topic. |
|
@javiercn ... Should we add content and example code for Blazor Server automatic token refresh using the refresh token in |
|
I tried to setup my TokenProvider object to contain Func<Task> instead of the plain text token itself. My thinking was when getting the token, my closure would run and I would get the latest token rather than the initial one. Unfortunately the framework did not like that as somewhere in the pipeline (I am guessing between the cshtml file and the Blazor app) the TokenProvider object needs to be serialised - so no lamda possible there. I have an app with a 1 hour token expiry so without an example to get a live token I am a bit stuck (I really don't want to force the user to login just because his token has expired). If anyone has made any progress here, please let us know. |
|
@BrettMahon any parameter that you pass down to a root component needs to be serializable. @guardrex there's nothing special about doing the token refresh from server-side Blazor. It involves sending a request to the token endpoint of the OIDC/OAuth provider in the same way you do in a web application. |
|
It's cross-linking the "in the same way" bit that's concerns me. OAuth2 docs have ... ... and truly, that's about it here or there AFAICT. I haven't found a sample app that does it in our doc sets. I suppose refresh is for
... in the cert security topic. I don't see a good example in Azure docs+samples either. Sorry that I'm so rusty on this scenario 👴 ... I'll research further asap. |
|
Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core which hasn't been addressed, please file a new issue. |
It would be great if this article would also contains a pattern to handle the token expiration and refresh of the access_token.
BTW, I applied the suggested pattern, while using a customized Oauth Provider and still works fine!
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: