Update section on passing tokens in Blazor Web Apps

[guardrex]

Description

Per our offline discussion, either (or both) @halter73 and @JeremyLikness are to review the Pass tokens to a server-side Blazor app section to either establish the content directly (a PR) or provide me enough detail (e.g., Stephen's remarks fleshed out further) in an issue comment to set up the section for BWAs.

Stephen, Jeremy ... We can remove one of you if only one review of the section is reasonable. I assigned both to merely to help keep this on the radar until we get it checked out.

Here's the LIVE section link that merely tells readers that this content is due to be updated ...

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/server/additional-scenarios?view=aspnetcore-8.0#pass-tokens-to-a-server-side-blazor-app

What we have for Blazor Server is in the 7.0 version of the article ...

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/server/additional-scenarios?view=aspnetcore-7.0#pass-tokens-to-a-server-side-blazor-app

Page URL

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/server/additional-scenarios?view=aspnetcore-8.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/server/additional-scenarios.md

Document ID

c98be365-408d-7ee6-cb74-14c44d01b0b8

Article author

@guardrex

[timohermans]

I just found this issue, so I'll just leave my two cents here.

I tried applying this to my own blazor server 8 app. When adding a scoped TokenProvider service, the set value will not be handed over to the circuit. The value will initially be set during the prerender, but on the second oninitializedasync null.

What did work was marking the service as singleton, though I'm not sure if this is the way the documentation intended it to be done.

[GStoynev]

#31759 got closed, but let me share what worked for me, if helpful to patch the documentation or to others searching for solution to the issue:

Capturing a cookie inline like this and then passing it as a Parameter to the Routes component where it's stored in the scoped provider seems to do the trick:

<body>
@{
    var cookie = HttpContext?.Request.Cookies["UI"];
    Logger.LogInformation("Cookie captured: {UICookie}", cookie);
}

<Routes Cookie="@cookie" @rendermode="InteractiveServer"/>
<script src="_framework/blazor.web.js"></script>

</body>

[GStoynev]

Another suggestion for that section of the documentation:

Mixing OpenIdConnect in the example creates the impression that there might be some magic happening there, that alleviates the issue with the pre-rendering and the duplicated TokenProvider.

A simple example with a cookie would have been simpler and to the point.

[timohermans]

@GStoynev wow that is a very easy solution 🤔.

One other thing I found out yesterday is that the httpcontext is always available within a HttpClient implementation, wherever you inject it inside the circuit. Which is also what the documentation does, I believe.

[guardrex]

The product unit (PU) is working through their backlog to reach this issue and take a look at the section. I hope we'll have this sorted out no later than the end of next week (2/23).

[guardrex]

Still trying to get 👁️👁️ on this. I'll try to reach out to Stephen and Jeremy again on Monday.

[guardrex]

I was just made aware over on a PU issue of the following approach in an Javier sample app ...

https://github.com/javiercn/BlazorWebNonceService/

I'll take a look at that to resolve this issue ... hopefully within a couple of days.

No 🎲🎲 .... That only addresses the nonce situation. Also, that sample doesn't match the approach that Stephen adopted for the BWA on dotnet/blazor-samples#240.

[guardrex]

UPDATE: I'm emailing again for notes/code/caveats ... and gotchas 😈 ... to address this issue. For now, I've just made the article section refer to the PU issue for further information.

[wildermedeiros]

Correct me if I'm wrong, I was searching for some way to access the AccessToken after a successfully authentication to use with role claims, and I knocked my head towards the HttpContext with IHttpContextAccessor in the IClaimsTransformation, but didn't work and I believe that was because of the services life cycle. Going forward, exploring the API, I found another way to access the token that I didn't find clearly in the docs:

.AddOpenIdConnect("Oidc", options =>
{
   // OIDC configs
   
   options.Events.OnTokenValidated = context =>
   {
       var accessToken = context.TokenEndpointResponse!.AccessToken;
       // ...
       return Task.CompletedTask;
   };
});

In case of having dynamic claims or more authentication schemes, the access token can be stored and accessed later on in the IClaimsTransformation implementation, to provide information for configuring the claims. In any case, it is working and operating for my goal. The project is configured to global interactive server mode. The approach in the code above make sense or have caveats?

[bpsc-wkubis]

I hope this will be resolved sooner rather than later

[shurfa]

seems that it takes too long to solve, my project stopped for this problem to overcome, please give it HP.

[guardrex]

UPDATE (4/21): I've noted this weekly to them because I only understand bits and pieces from the discussion that took place on the product unit's issue. I can't resolve it on my own without their help. There's nothing else that I can do but wait for their response. I think that the workload has been very high for them, and that's why it's taking so long to get an answer. I'll continue to remark on this each week on Fridays. Hopefully, it won't take much longer.

[timohermans]

seems that it takes too long to solve, my project stopped for this problem to overcome, please give it HP.

there have been several suggestions in the issues linked. One of them being using a CircuitHandler to store the token in