Updates

guardrex · web-flow · commit bfc5c27e4dbd · 2024-12-09T15:29:12.000-05:00
diff --git a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md
@@ -232,19 +232,6 @@ Inspect the sample app for the following features:
 
 For more information on (web) API calls using a service abstractions in Blazor Web Apps, see <xref:blazor/call-web-api#service-abstractions-for-web-api-calls>.
 
-:::moniker range="< aspnetcore-10.0"
-
-<!-- UPDATE 10.0 - Check the PU issue for 10.0 work to resolve both issues.
-                   The docs issue is https://github.com/dotnet/AspNetCore.Docs/issues/34235. -->
-
-## Custom cookie refresher (`CookieOidcRefresher.cs`)
-
-The custom cookie refresher (`CookieOidcRefresher.cs`) implementation might need to be updated depending on your Identity Provider. For example, the refresher expects an ID token from the token endpoint. If the refresh token isn't an ID token with claims, the refresher can be updated with additional logic to continue to use the prior set of claims stored in the authentication cookie.
-
-Additionally, work is scheduled for .NET 10 (November, 2025) on [`BlazorWebAppOidc AddOpenIdConnect with GetClaimsFromUserInfoEndpoint = true doesn't propogate role claims to client` (`dotnet/aspnetcore` 58826)](https://github.com/dotnet/aspnetcore/issues/58826) to refresh claims from the `/userinfo` endpoint.
-
-:::moniker-end
-
 ## Client-side Blazor Web App project (`BlazorWebAppOidc.Client`)
 
 The `BlazorWebAppOidc.Client` project is the client-side project of the Blazor Web App.
@@ -533,19 +520,6 @@ Inspect the sample app for the following features:
 
 For more information on (web) API calls using a service abstractions in Blazor Web Apps, see <xref:blazor/call-web-api#service-abstractions-for-web-api-calls>.
 
-:::moniker range="< aspnetcore-10.0"
-
-<!-- UPDATE 10.0 - Check the PU issue for 10.0 work to resolve both issues.
-                   The docs issue is https://github.com/dotnet/AspNetCore.Docs/issues/34235. -->
-
-## Custom cookie refresher (`CookieOidcRefresher.cs`)
-
-The custom cookie refresher (`CookieOidcRefresher.cs`) implementation might need to be updated depending on your Identity Provider. For example, the refresher expects an ID token from the token endpoint. If the refresh token isn't an ID token with claims, the refresher can be updated with additional logic to continue to use the prior set of claims stored in the authentication cookie.
-
-Additionally, work is scheduled for .NET 10 (November, 2025) on [`BlazorWebAppOidc AddOpenIdConnect with GetClaimsFromUserInfoEndpoint = true doesn't propogate role claims to client` (`dotnet/aspnetcore` 58826)](https://github.com/dotnet/aspnetcore/issues/58826) to refresh claims from the `/userinfo` endpoint.
-
-:::moniker-end
-
 ## Client-side Blazor Web App project (`BlazorWebAppOidc.Client`)
 
 The `BlazorWebAppOidc.Client` project is the client-side project of the Blazor Web App.
@@ -680,6 +654,22 @@ The important changes to the `LogInOrOut` component are demonstrated in the foll
 </div>
 ```
 
+:::moniker range="< aspnetcore-10.0"
+
+## Token refresh
+
+<!-- UPDATE 10.0 - Check the PU issue for 10.0 work to resolve both issues.
+                   The docs issue is https://github.com/dotnet/AspNetCore.Docs/issues/34235. -->
+
+The custom cookie refresher (`CookieOidcRefresher.cs`) implementation updates the user's claims automatically when they expire. The current implementation expects to receive an ID token from the token endpoint in exchange for the refresh token. This ID token is then used to overwrite the user's claims.
+
+The sample implementation doesn't include code for requesting claims from the `/userinfo` endpoint on token refresh. For more information, see [`BlazorWebAppOidc AddOpenIdConnect with GetClaimsFromUserInfoEndpoint = true doesn't propogate role claims to client` (`dotnet/aspnetcore` 58826)](https://github.com/dotnet/aspnetcore/issues/58826#issuecomment-2492738142).
+
+> [!NOTE]
+> Some identity providers only return an access token when using a [refresh token](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse). The `CookieOidcRefresher` can be updated with additional logic to continue to use the prior set of claims stored in the authentication cookie.
+
+:::moniker-end
+
 ## Cryptographic nonce
 
 A *nonce* is a string value that associates a client's session with an ID token to mitigate [replay attacks](https://developer.mozilla.org/docs/Glossary/Replay_attack).
