Skip to content

Add the latest recommended passing tokens approach #35482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add the latest recommended passing tokens approach #35482

wants to merge 6 commits into from
+229 βˆ’10

Conversation

guardrex
Copy link
Collaborator

@guardrex guardrex commented May 16, 2025
edited
Loading

Fixes #31691
Addresses #35225

As usual, the updates are based on πŸ¦– RexHacks!β„’ πŸ™ˆ, so get ready for some potential code smells πŸ’©πŸ‘ƒπŸ˜ that we'll need to fix.

A couple of items to discuss for resolving this ...

  • WRT getting the access token out of the cookie ...

    context.Properties.Items.Remove("access_token");

    That line doesn't seem to be removing the access token because the access token can still be obtained in ValidateOrRefreshCookieAsync, which is called after OnSigningIn. Is that the wrong way to remove the access token from the cookie? [It's on the PR in spite of being a no-op at the moment.]

  • You suggested ...

    what we probably could do now is make the ServerWeatherForecaster inject the AuthenticationStateProvider rather than the IHttpContextAccessor since the access token is now in a claim and we no longer need access to the AuthenticationProperties from the HttpContext.

    When I injected AuthenticationStateProvider into the ServerWeatherForecaster and tried to use it ...

    internal sealed class ServerWeatherForecaster(IHttpClientFactory clientFactory, 
    AuthenticationStateProvider authStateProvider, IConfiguration config) : IWeatherForecaster
{
    public async Task<IEnumerable<WeatherForecast>> GetWeatherForecastAsync()
    {
        ...
        var authState = await authStateProvider.GetAuthenticationStateAsync();
        var accessToken = authState.User.Claims.First(c => c.Type == "AccessToken").Value ?? 
            throw new Exception("No access token!");
        ...

        var response = await client.SendAsync(request);

        ...
    }
}

    ... it throws when calling GetAuthenticationStateAsync stating ...

    System.InvalidOperationException: 'Do not call GetAuthenticationStateAsync outside of the DI scope for a Razor component. Typically, this means you can call it only within a Razor component or inside another DI service that is resolved for a Razor component.'

    Therefore, I went back to getting the claim from HttpContext, which is working πŸŽ‰ and on the PR.

Internal previews

πŸ“„ File πŸ”— Preview link
aspnetcore/blazor/call-web-api.md aspnetcore/blazor/call-web-api
aspnetcore/blazor/security/additional-scenarios.md aspnetcore/blazor/security/additional-scenarios
aspnetcore/blazor/security/blazor-web-app-with-entra.md aspnetcore/blazor/security/blazor-web-app-with-entra
aspnetcore/blazor/security/index.md aspnetcore/blazor/security/index

@guardrex guardrex self-assigned this May 16, 2025
@guardrex guardrex force-pushed the guardrex/blazor-passing-tokens branch from e1f1442 to d653a02 Compare May 16, 2025 18:39
@guardrex guardrex requested a review from halter73 May 19, 2025 18:01
@guardrex guardrex marked this pull request as ready for review May 19, 2025 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@halter73 halter73 Awaiting requested review from halter73

Assignees

@guardrex guardrex

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update section on passing tokens in Blazor Web Apps
1 participant
@guardrex