search

BitzArt / Blazor.Auth

Blazor authentication package
https://bitzart.github.io/Blazor.Auth/
MIT License
93 stars 11 forks source link

Expired access token not refreshed #24

Open hannes-ma opened 1 month ago

hannes-ma commented 1 month ago

Hello all, I'm encountering a strange problem using Blazor.Auth on a Blazor Server implementation where the access token is not refreshed after expiration.

I have the following situation:

  1. User logs in and gets the access + refresh token. The access token is valid 2 minutes while the refresh token is valid 2 months.
  2. User stays on one page without doing any operation until the access token expires (after 2 minutes)
  3. User navigates to another page. Sometimes the ServerSidePrerenderAuthenticationStateProvider, which handles the access/refresh token, still sees the access token cookie in the HTTPRequest and passes it on to BuildClaimsPrincipal(). Inside that function the validation of the token then obviously fails as the access token is expired and throws an exception which results in an error to the user instead of attempting to refresh the token.

Just an assumption, but could it be that the server and the browser have a slightly different time of day, so the cookie hasn't been expired and removed on the browser so it is still sending it to the server? I've seen this using Google Chrome.

What could be a possible fix around this? IMO the code in ServerSidePrerenderAuthenticationStateProvider should be changed to allow the access token to fail validation and in this case it should go ahead with the refresh token.

YuriyDurov commented 1 month ago

Hello @hannes-ma

Thank you for pointing this out, we seem to have been experiencing the same problem. Please let us know if you discover any more details about this issue. We will try to investigate in the near future.

jstafford5380 commented 1 month ago

Is this an issue with mix mode where blazor switching back and forth between client components and server components? There were some Auth0 articles that were talking about how complex that actually is and it was causing similar symptoms.

https://community.auth0.com/t/net-8-0-blazor/119691

hannes-ma commented 1 month ago

@jstafford5380 Well in my case I'm only using server-side rendering (no WASM and also pre-rendering disabled). What I've seen till now is that the issue is not reproducible on my local development environment, where the blazor application and browser are running on the same host. It only happens when deployed via docker container on the cloud server, therefore my assumption that it depends on date/time differences between server and client browser.

YuriyDurov commented 1 month ago

@hannes-ma

Agreed, the issue does not seem to relate to the complexity of InteractiveAuto, as we are experiencing it while using just InteractiveWebAssembly rendering.

Probably something to do with timing and at what exact moment expired cookies are getting cleared from the browser. We have implemented the package assuming the expired cookies will no longer be sent after they have expired, but there is clearly something going wrong there.

YuriyDurov commented 1 week ago

At first it seemed like we were experiencing the same issue as the one described here, but at some point it went away. Not sure what caused it to change. I have also tried manually to get it to happen but wasn't able to.

Is anyone here able to replicate this issue at least somewhat consistently? We seem to require additional information on this issue in order to track it down.