Skip to content

Update Secure an ASP.NET Core Blazor Web App with OpenID Connect (OIDC) to demonstrate Access Token Management #570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update Secure an ASP.NET Core Blazor Web App with OpenID Connect (OIDC) to demonstrate Access Token Management #570

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8ca2f44
Rework Blazor with OIDC to include refresh token handling using Duend…
maartenba Jul 2, 2025
15aa104
Bump AccessTokenManagement
maartenba Aug 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions 9.0/BlazorWebAppOidc/BlazorWebAppOidc/BlazorWebAppOidc.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

<ItemGroup>
<ProjectReference Include="..\BlazorWebAppOidc.Client\BlazorWebAppOidc.Client.csproj" />
<PackageReference Include="Duende.AccessTokenManagement.OpenIdConnect" Version="4.0.0-rc.2" />
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RTM is around the corner and will be updated

Copy link
Collaborator

@guardrex guardrex Aug 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I asked offline about this in a separate message chain. Generally, they aren't keen on recommending preview packages in production, which is what our readers do with these samples. Will the 3.2.0 package not work for this? If not, when is "around the corner"? Is it like a week ... or month?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

End of August most probably, unless anything slips unexpectedly

<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="9.0.0" />
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="9.0.0" />
</ItemGroup>
Expand Down
26 changes: 26 additions & 0 deletions 9.0/BlazorWebAppOidc/BlazorWebAppOidc/CookieEvents.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
using Duende.AccessTokenManagement.OpenIdConnect;
using Microsoft.AspNetCore.Authentication.Cookies;

namespace BlazorWebAppOidc;

/// <summary>
/// Automatically validates the token.
/// See https://docs.duendesoftware.com/accesstokenmanagement/blazor-server/ for more information.
/// </summary>
public class CookieEvents : CookieAuthenticationEvents
{
private readonly IUserTokenStore _store;

public CookieEvents(IUserTokenStore store) => _store = store;

public override async Task ValidatePrincipal(CookieValidatePrincipalContext context)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should use cookieOptions.Events.OnValidatePrincipal = ... like before rather than have all the ceremony of a custom Events types. Same goes for OidcEvents.

{
var token = await _store.GetTokenAsync(context.Principal!);
if (!token.Succeeded)
{
context.RejectPrincipal();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It appears that the sample no longer rejects the cookie if the token has expired and you cannot use the refresh token to get an unexpired token. Can we add that functionality back?

Also, if the token is missing from the store, wouldn't it be better just to add it back from the store rather than reject the cookie. Since we're still using SaveTokens, it should still be stored int the ClaimsPrincipal.

If we cannot do that, maybe we should log something here. I know we weren't before, but I could see this coming up a lot more often now that something like a server restart can cause it.

}

await base.ValidatePrincipal(context);
}
}
102 changes: 0 additions & 102 deletions 9.0/BlazorWebAppOidc/BlazorWebAppOidc/CookieOidcRefresher.cs
View file
Open in desktop

This file was deleted.

26 changes: 0 additions & 26 deletions 9.0/BlazorWebAppOidc/BlazorWebAppOidc/CookieOidcServiceCollectionExtensions.cs
View file
Open in desktop

This file was deleted.

38 changes: 38 additions & 0 deletions 9.0/BlazorWebAppOidc/BlazorWebAppOidc/OidcEvents.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
using Duende.AccessTokenManagement;
using Duende.AccessTokenManagement.OpenIdConnect;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;

namespace BlazorWebAppOidc;

/// <summary>
/// Stores access token and refresh token in the server-side token store once a token is validated.
/// See https://docs.duendesoftware.com/accesstokenmanagement/blazor-server/ for more information.
/// </summary>
public class OidcEvents : OpenIdConnectEvents
{
private readonly IUserTokenStore _store;

public OidcEvents(IUserTokenStore store) => _store = store;

public override async Task TokenValidated(TokenValidatedContext context)
{
var exp = DateTimeOffset.UtcNow.AddSeconds(double.Parse(context.TokenEndpointResponse!.ExpiresIn));

await _store.StoreTokenAsync(context.Principal!, new UserToken
{
AccessToken = AccessToken.Parse(context.TokenEndpointResponse.AccessToken),
AccessTokenType = AccessTokenType.Parse(context.TokenEndpointResponse.TokenType),
RefreshToken = RefreshToken.Parse(context.TokenEndpointResponse.RefreshToken),
Scope = !string.IsNullOrEmpty(context.TokenEndpointResponse.Scope)
? Scope.Parse(context.TokenEndpointResponse.Scope)
: Scope.Parse(string.Join(" ", context.Options.Scope)),
ClientId = !string.IsNullOrEmpty(context.ProtocolMessage.ClientId)
? ClientId.Parse(context.ProtocolMessage.ClientId)
: ClientId.Parse(context.Options.ClientId!),
IdentityToken = IdentityToken.Parse(context.TokenEndpointResponse.IdToken),
Expiration = exp,
});

await base.TokenValidated(context);
}
}
Loading