Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refresh token during http request in Blazor Interactive Server with OIDC #267

Closed
bpsc-wkubis opened this issue Apr 18, 2024 · 2 comments
Closed

Refresh token during http request in Blazor Interactive Server with OIDC #267

bpsc-wkubis opened this issue Apr 18, 2024 · 2 comments
Assignees
@guardrex
Labels
Not triaged Awaiting review

Comments

@bpsc-wkubis
Copy link

Describe the issue

In the Blazor Web App (Interactive server), the token refresh process occurs during the OnValidatePrincipal cookie event. This event is triggered if the access token is less than 5 minutes away from expiration. However, this event only executes during a complete page reload.

A potential issue arises when a user reloads the page 6 minutes prior to the access token's expiration. In this case, the OnValidatePrincipal event does not refresh the token. If the user continues to interact with the website without a full page reload, the token may expire after 6 minutes. Consequently, all subsequent API requests are rejected. The question is how to handle such a scenario.

To Reproduce

  1. Set up an OIDC server with a short access token lifetime (e.g., 30 seconds) for demonstration purposes.
  2. Create a protected API that validates the access token.
  3. Use the BlazorWebAppOidc sample as the client.
  4. Add a simple action to BlazorWebAppOidc that requests a protected API endpoint.
  5. Refresh the BlazorWebAppOidc app, wait for 30 seconds, and without refreshing the app again, try to request the API.

Expected behavior

The common solution to this issue is to refresh the token during an HTTP request with a DelegatingHandler. However, in our scenario, we cannot override the cookie inside the DelegatingHandler. The expected behavior, therefore, is to be able to refresh tokens in the DelegatingHandler while storing them in cookies. If there's a way to override the cookie inside the DelegatingHandler that I'm not aware of, that could also be a potential solution.

Issue Details

Do not edit this section. It is required for issue processing.
@bpsc-wkubis bpsc-wkubis added the Not triaged Awaiting review label Apr 18, 2024
@guardrex
Copy link
Collaborator

guardrex commented Apr 18, 2024
edited

The best bet to get Stephen's eyes on this ... Stephen Halter built this sample ... is to open it for the product unit. Can you place that into an issue here ...

https://github.com/dotnet/aspnetcore/issues

... and reference the sample app with this link ....

https://github.com/dotnet/blazor-samples/tree/main/8.0/BlazorWebAppOidc

... and also provide a cross-link to this issue so that we don't lose track of things ...

Add .........

cc: @guardrex https://github.com/dotnet/blazor-samples/issues/267

... to the bottom of your opening comment.

Leave this issue open. We'll see where things go with your PU issue on their repo and possible track changes here for the sample app. Otherwise, I'll end up closing this later and opening a docs issue if we end up covering something in the article.

@bpsc-wkubis bpsc-wkubis mentioned this issue Apr 19, 2024
Open
1 task
@guardrex
Copy link
Collaborator

Based on that answer, I think we should work this from a docs repo issue. This isn't going to be something that the sample is going to address. We can have additional guidance on it in the article.

I'll open that issue now and ping u on it.

@guardrex guardrex mentioned this issue Apr 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@guardrex guardrex

Labels
Not triaged Awaiting review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@guardrex @bpsc-wkubis