cookie and access token out of sync about blazorauthenticationandauthorization HOT 5 CLOSED

That's normal. The client application decides on its own lifetime (via the cookie, which comes from the identity token), the IDP decides on the access token lifetime. To avoid a user not being able to access the API, the access token should be refreshed when it has expired. A good approach for this is via a custom handler - I've got an example of that here: https://github.com/KevinDockx/SecuringAspNetCore3WithOAuth2AndOIDC/blob/master/Finished%20sample/src/ImageGallery.Client/HttpHandlers/BearerTokenHandler.cs

from blazorauthenticationandauthorization.

@KevinDockx so with this architecture (razor app/client, API, IDP) you'd always want the razor app to request offline access so it can refresh the token if needed?

from blazorauthenticationandauthorization.

Yes, with a Blazor Server app you can indeed do that because you can safely store the refresh token.

from blazorauthenticationandauthorization.

@KevinDockx me again. Not trying to be annoying since i know this is more an example to get started rather than a production ready instance. I did run into an issue with the BearerTokenHandler. If I had multiple API calls being made sometimes the refresh call would be made twice and the second one would fail due to the refresh token already being used. I found some built in middleware that handled this.

services.AddAccessTokenManagement(options =>
            {
                options.Client.Scope = "scopeforapi";
            });
services.AddHttpClient<IEmployeeDataService, EmployeeDataService>(client =>
            {
                client.BaseAddress = new Uri("https://api.com/");
            }).AddUserAccessTokenHandler();

from blazorauthenticationandauthorization.

Thanks for this, I didn't know IdentityModel contained such a handler. Going to use this one from now on :-)

from blazorauthenticationandauthorization.