BlazorWebAppOidc sample: incorrect CookieOidcRefresher implementation

[albi005]

Description

CookieOidcRefresher expects an ID token from the token endpoint. This seems wrong, based on the spec, the Duende implementation and the fact that it always fails in my app.

Page URL

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-oidc?view=aspnetcore-8.0&pivots=without-bff-pattern

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/blazor-web-app-with-oidc.md

Document ID

c3346d3a-346b-8db4-2650-ec044b3f0dd9

Article author

@guardrex

Related Issues

[github-actions]

🍂🎃🏮 OOF: Back on Monday, 12/2 🥧☕🍂

Stand by! We're out of the office for the Thanksgiving holiday 🦃.

A green dinosaur 🦖 will be back on Monday (12/2) to assist.

[halter73]

It looks like we need to determine whether the refresh token is really an ID token before indiscriminately reading claims from it. If it's not an ID token, we should probably just continue to use the old claims stored in the cookie. dotnet/aspnetcore#58826 is also related to getting the right claims on refresh, but that's focused on refreshing claims from the /userinfo endpoint if it's enabled.

[guardrex]

So ... @halter73 ... do you want to transfer this issue to the PU repo, or should @albi005 open a new PU issue on this?

[albi005]

In the meantime, I think it would make sense to add a comment to the sample/docs noting that the refresh implementation might need to be updated depending on the Identity Provider.

[guardrex]

I can add whatever makes sense to add, but it's best if one of you who understands what the text should say write it in a comment here for publication, and then I'll edit it for style+grammar and place it in the article. If it should go in under a heading to help surface it in the article, give me proposed heading text as well.

... and since we're adding something to the article, we won't transfer this issue. The question now for @halter73 is if you should open a new PU issue or not.

This issue will remain open until the article is updated, and it will close automatically later when the docs PR merges.