Description
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
I'm working on a Blazor WebAssembly app that uses MSAL package Microsoft.Authentication.WebAssembly.Msal
version 8.0.13
for authentication. I configured the MSAL cache to use localStorage by setting the CacheLocation in MsalProviderOptions like this:
builder.Services.AddMsalAuthentication(options =>
{
options.ProviderOptions.Cache.CacheLocation = "localStorage";
// other config...
});
This works well initially—tokens are stored and retrieved as expected. However, after a few hours (presumably when the token expires), the app doesn't seem to automatically acquire a new token. Even when I try to sign out manually using:
await SignOutManager.SetSignOutState();
...any pages decorated with [Authorize]
still redirect to the NotAuthorized view. The only workaround I’ve found is to manually clear localStorage in the browser, which obviously isn’t ideal.
Any insights or suggestions would be greatly appreciated!
Expected Behavior
The expected behavior when using localStorage as the cacheLocation in a Blazor WebAssembly app with MSAL should be:
- Persistent Token Storage: Tokens (ID, access, and refresh) should persist across browser sessions as long as they are valid and not manually cleared, since localStorage is not cleared on tab or browser close.
- Automatic Silent Token Renewal: When an access token expires, MSAL should attempt to silently acquire a new token using the refresh token (if available and valid), without requiring user interaction.
- Graceful Sign-Out: Calling SignOutManager.SetSignOutState() should clear the authentication state and redirect the user appropriately. After sign-out, protected routes decorated with [Authorize] should redirect to the login page or a configured fallback, not remain stuck on a NotAuthorized view.
- No Manual Storage Clearing Required: Users should not need to manually clear localStorage to resolve expired token issues. The library should handle token lifecycle management internally.
Steps To Reproduce
- Run a Blazor wasm project with Microsoft.Authentication.WebAssembly.Msal
services.AddMsalAuthentication(remoteAuthenticationOptions =>
{
remoteAuthenticationOptions.ProviderOptions.Cache.CacheLocation = "localStorage";
webAssemblyHostBuilder.Configuration.Bind(
"AzureAd",
remoteAuthenticationOptions.ProviderOptions.Authentication
);
});
- appsettings.json with
AzureAd
section:
"AzureAd": {
"Authority": "Your-Authority",
"ClientId": "Your-ClientId",
"ValidateAuthority": true
}
- Login into the project and wait until the token is expired.
- Go back to the page and you'll not be able to navigate through the page. Token has not been correctly refreshed.
Need to manually clean localStorage to force app to get a new token.
.NET Version
9.0.204