Miss a strategy to handle the refresh of tokens

[andmig-ilty]

It would be great if this article would also contains a pattern to handle the token expiration and refresh of the access_token.

BTW, I applied the suggested pattern, while using a customized Oauth Provider and still works fine!

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 6f8acbbf-c9d4-7041-c1a7-ec9ce8f0981b
• Version Independent ID: c98be365-408d-7ee6-cb74-14c44d01b0b8
• Content: ASP.NET Core Blazor Server additional security scenarios
• Content Source: aspnetcore/blazor/security/server/additional-scenarios.md
• Product: aspnet-core
• Technology: aspnetcore-blazor
• GitHub Login: @guardrex
• Microsoft Alias: riande

[andmig-ilty]

As far as I know Blazor Server is a server side application and the secrets are never threated on the client. This is opposite to Blazor WebAssembly where, I'm with you, we should never handle secrets and thus, the oauth implicity flow is then used (no client secret, no refresh_token, etc)

The linked article do refer to Blazor Server and for completeness the refresh_token workflow worth to be covered...

[guardrex]

Oh ... sorry about that @andmig-ilty ... I did misinterpret the issue. I'm buried in a thorny issue elsewhere, and it takes just about all of my (small) brain to process it. 😖

Yes, we don't show that ... yet anyway. I'll put this on the Blazor project for triage for further discussion.

[guardrex]

It might take a week (or a few) to get to this. The engineers on the product unit are all 🏃😅 like crazy right now working on the .NET 5 release for RC1. I'll see after RC1 lands if we can get a remark from them on what they'd like to show. You're welcome to post your suggestion here for discussion if you want.

[guardrex]

Refresh tokens can be maintained and used by the server-side app in a Hosted Blazor WebAssembly solution to access third-party APIs.

@javiercn ... @andmig-ilty is asking if we can add content + example code for Blazor Server automatic token refresh using the refresh token in TokenProvider. Can/should we? If so, can you provide the code or point me to an example that you feel would be the right thing to show?

https://docs.microsoft.com/aspnet/core/blazor/security/server/additional-scenarios#pass-tokens-to-a-blazor-server-app

btw- I checked our regular Security & Identity node topics, but I don't see a good specific topic for this scenario. I've also looked at the (new) Azure examples+docs but didn't find a good topic.