Update section on passing tokens in Blazor Web Apps

[guardrex]

Description

Per our offline discussion, I'll see about implementing Halter's suggestion at Stephen's remarks fleshed out further for this.

Also see #35225.

Here's the LIVE section link that merely tells readers that this content is due to be updated ...

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/server/additional-scenarios?view=aspnetcore-8.0#pass-tokens-to-a-server-side-blazor-app

What we have for Blazor Server is in the 7.0 version of the article ...

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/server/additional-scenarios?view=aspnetcore-7.0#pass-tokens-to-a-server-side-blazor-app

Page URL

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/server/additional-scenarios?view=aspnetcore-8.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/server/additional-scenarios.md

Document ID

c98be365-408d-7ee6-cb74-14c44d01b0b8

Article author

@guardrex

[timohermans]

I just found this issue, so I'll just leave my two cents here.

I tried applying this to my own blazor server 8 app. When adding a scoped TokenProvider service, the set value will not be handed over to the circuit. The value will initially be set during the prerender, but on the second oninitializedasync null.

What did work was marking the service as singleton, though I'm not sure if this is the way the documentation intended it to be done.

[GStoynev]

#31759 got closed, but let me share what worked for me, if helpful to patch the documentation or to others searching for solution to the issue:

Capturing a cookie inline like this and then passing it as a Parameter to the Routes component where it's stored in the scoped provider seems to do the trick:

<body>
@{
    var cookie = HttpContext?.Request.Cookies["UI"];
    Logger.LogInformation("Cookie captured: {UICookie}", cookie);
}

<Routes Cookie="@cookie" @rendermode="InteractiveServer"/>
<script src="_framework/blazor.web.js"></script>

</body>

[GStoynev]

Another suggestion for that section of the documentation:

Mixing OpenIdConnect in the example creates the impression that there might be some magic happening there, that alleviates the issue with the pre-rendering and the duplicated TokenProvider.

A simple example with a cookie would have been simpler and to the point.

[timohermans]

@GStoynev wow that is a very easy solution 🤔.

One other thing I found out yesterday is that the httpcontext is always available within a HttpClient implementation, wherever you inject it inside the circuit. Which is also what the documentation does, I believe.

[guardrex]

The product unit (PU) is working through their backlog to reach this issue and take a look at the section. I hope we'll have this sorted out no later than the end of next week (2/23).

[guardrex]

Still trying to get 👁️👁️ on this. I'll try to reach out to Stephen and Jeremy again on Monday.

[guardrex]

I was just made aware over on a PU issue of the following approach in an Javier sample app ...

https://github.com/javiercn/BlazorWebNonceService/

I'll take a look at that to resolve this issue ... hopefully within a couple of days.

No 🎲🎲 .... That only addresses the nonce situation. Also, that sample doesn't match the approach that Stephen adopted for the BWA on dotnet/blazor-samples#240.

[Kumima]

@pmi24
For InteractiveServer, HttpContext can actually be accessible without that approach, such as using IHttpContextAccessor. But I think that HttpContext is something like readonly. The reason why you meet the problem is SignInManager.SignInAsync() needs to set the cookie which needs to write the HttpContext. So, the login page in the default template is rendered as static.

Blazor authentication is really a complicated topic, especially now we have the Auto mode. I've notice there are many issues raised to discuss what's the best approach, I hope the documentation will keep improving this.

[huazhb]

@pmi24 For InteractiveServer, HttpContext can actually be accessible without that approach, such as using IHttpContextAccessor. But I think that HttpContext is something like readonly. The reason why you meet the problem is SignInManager.SignInAsync() needs to set the cookie which needs to write the HttpContext. So, the login page in the default template is rendered as static.

Blazor authentication is really a complicated topic, especially now we have the Auto mode. I've notice there are many issues raised to discuss what's the best approach, I hope the documentation will keep improving this.

Finally, I found someone noted InteractiveServer does valid for HttpContext and IHttpContextAccessor. The Microsoft website really confusion which state "IHttpContextAccessor]must be avoided with interactive rendering because there isn't a valid HttpContext available.". I think only the code that run at the client side will NOT valid for HttpContext like InteractiveClient or InteractiveAuto that after first initialization.

[nicholasyin]

@pmi24 For InteractiveServer, HttpContext can actually be accessible without that approach, such as using IHttpContextAccessor. But I think that HttpContext is something like readonly. The reason why you meet the problem is SignInManager.SignInAsync() needs to set the cookie which needs to write the HttpContext. So, the login page in the default template is rendered as static.
Blazor authentication is really a complicated topic, especially now we have the Auto mode. I've notice there are many issues raised to discuss what's the best approach, I hope the documentation will keep improving this.

Finally, I found someone noted InteractiveServer does valid for HttpContext and IHttpContextAccessor. The Microsoft website really confusion which state "IHttpContextAccessor]must be avoided with interactive rendering because there isn't a valid HttpContext available.". I think only the code that run at the client side will NOT valid for HttpContext like InteractiveClient or InteractiveAuto that after first initialization.

Yes, by means of debugging I see that the same code gets run twice, in SSR. The first time HttpContext has value while in the second time it's null. So all in all, 'should be avoided' is correct.

[guardrex]

The sample app consists of two projects:

Update to "three projects."