Blazor WebAssembly - Refresh Token Flow

[TheMagnificent11]

I was wondering whether Blazor WebAssembly backed by IdentityServer (as in the "individual accounts" option of the Blazor WebAssembly Visual Studio template) supports the refresh token flow.

That is when it authenticates and receives a token, does it have an access token that expires after a small amount of time and a refresh token that lasts significantly longer and can be used to get new access tokens?

The reason for this question is based on my hunch that using the AuthorizeAttribute on Razor pages likely doesn't support the Policy property and only evaluates the access token to authorize a page. So, changing a user's claims wouldn't require a log-out and in if the refresh token flow with a small expiry for the access token was supported.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: c9942b0a-a7fb-0d34-9201-af0963affa9e
• Version Independent ID: 19770710-5225-a1ea-e082-65da6ba4a49a
• Content: ASP.NET Core Blazor authentication and authorization
• Content Source: aspnetcore/security/blazor/index.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @guardrex
• Microsoft Alias: riande

[guardrex]

supports the refresh token flow

It doesn't client-side for Blazor WASM (Razor components in the Client app). The scenario would be a security risk for exactly the reason that you mentioned ... they can't be secured. You can use refresh tokens server-side. We have some info on that pertaining to 3rd party APIs, where you wouldn't want to send the refresh token down to the client but still permit the client to make 3rd party calls ... that's covered at :point_right: https://docs.microsoft.com/en-us/aspnet/core/security/blazor/webassembly/additional-scenarios?view=aspnetcore-3.1#options-for-hosted-apps-and-third-party-login-providers

As with your last question, I don't understand the mix of "page" in the question. There are no pages (Razor Pages) in a Blazor WASM app client-side. I think you must be asking about a Server app of a hosted solution, where you could have Razor Pages. In that case, yes, Identity should work as it normally does.

Policies are supported in Razor components as I linked on the other issue, and the [Authorize] attribute can be applied with a policy. Like I said before tho, we can't handle support requests, so I recommend that you consult with devs on a support channel for help with a specific use case scenario ...

• Stack Overflow
• ASP.NET Core Slack
• ASP.NET Gitter

[guardrex]

Actually ...... I like the idea of being more explicit about refresh tokens client-side. We have a section ...

https://docs.microsoft.com/en-us/aspnet/core/security/blazor/?view=aspnetcore-3.1#authorization-in-blazor-webassembly-apps

... where I think an explicit statement can live that basically says that refresh tokens shouldn't be sent to Blazor WASM apps.

[guardrex]

I'm going to move that existing section to the Blazor WASM Overview and add a new section there. That makes more sense. I think this section is leftover here from when we didn't have a Blazor WASM security node and overview.

[TheMagnificent11]

Yes, it appears I have asked a question about the wrong doc page. Yes, it would be good if there was more info about the refresh-token flow on the page you mentioned (https://docs.microsoft.com/en-us/aspnet/core/security/blazor/webassembly/?view=aspnetcore-3.1).

Or perhaps here: https://docs.microsoft.com/en-us/aspnet/core/security/blazor/webassembly/hosted-with-identity-server?view=aspnetcore-3.1

[guardrex]

The way we have things set up right now, both the Overview and the Additional scenarios topics are sort of required reading. The reason we don't want all of those additional scenarios covered in the overview is that it bogs the reader down in a lot of implementation guidance. I'm trying to keep the overview topics focused on high-level concepts.

[TheMagnificent11]

So, I've got a question outside of the docs, does Blazor WebAssembly support the refresh-token flow (for IdentityServer, Azure B2C etc)?

[TheMagnificent11]

Perhaps I should have asked this question as a normal issue instead of via the docs page

[TheMagnificent11]

Oh, just saw the docs change in #18604

Thanks.

[guardrex]

Yes ... thanks for calling it out for more coverage.

WRT maintaining and using refresh tokens in the Server app of a Hosted WASM solution so that the Client app doesn't lose access to 3rd party APIs, it's true that we don't have a Blazor sample/example of this. However, I think if you look in the ASP.NET Core security topics for normal ASP.NET Core apps (non-Blazor), the same guidance will apply for the Server app.

The server-side app can keep and use refresh tokens for third-party APIs, and the client-side Blazor WASM app can continue to function transparently obtaining access tokens for as long as it needs to do so when it accesses the server-side app via an API endpoint and the server-side app is what is accessing the third-party API. That's my understanding today per https://docs.microsoft.com/en-us/aspnet/core/security/blazor/webassembly/additional-scenarios?view=aspnetcore-3.1#make-api-calls-from-the-client-to-the-server-api-in-order-to-call-third-party-apis. We don't have a sample for it ... we may one day ... but for now, you'd need to build it out. Talk to devs on support channels if you need a tip or want to discuss your scenario ...

• Stack Overflow
• ASP.NET Core Slack
• ASP.NET Gitter

[TheMagnificent11]

Thanks for pointing me in the right direction