Cookie & Blazor Server-side

Kevin Azure 141

Is Cookie supported by Blazor Server-side?

How to use Cookie to store Login/Session information?

[so the duplicate login prompt won't come for N days]

2 answers

S.Sengupta 17,311 Reputation points MVP

2023-05-05T00:55:31.1066667+00:00

How do I do cookie authentication in Blazor?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Bruce (SqlWork.com) 61,731 Reputation points

2023-05-05T17:26:35.2766667+00:00

Blazor server uses cookie authentication. Just config the identity cookie the way you would for any asp.net core website.

when blazor server needs authentication it redirects to the login, which unloads the app. Then after login redirects back, the app is reloaded. Unless saved, all state values will be lost. You can avoid this by requiring authentication if the hosting page.

note: typically with blazor WASM you would use bearer tokens.
Please sign in to rate this answer.
Kevin Azure 141 Reputation points

2023-05-05T21:05:48.7866667+00:00

@Bruce (SqlWork.com) Thanks for reply.

So my implementation of Blazor-serverside is as below:

Login prompt user with username/password

Use cookie to store login info (so for next N days no login prompted)

Create AccessToken & RefreshToken for accessing WebAPI

Where should I store the AccessToken & RefreshToken?

Should I store AccessToken in cookie too?

Should I store RefreshToken in cookie too?

Or, Generate both of them dynamically everytime a cold user session restored?

Bruce (SqlWork.com) 61,731 Reputation points

2023-05-07T00:09:39.4233333+00:00

if you want to call the webapi on the behalf of the user, then you need an access token for your webapi. see (EnableTokenAcquisitionToCallDownstreamApi). you also want to cache the refresh token.

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(Configuration) .EnableTokenAcquisitionToCallDownstreamApi(new[] { Configuration["scopes"] }) .AddInMemoryTokenCaches();

the default cache is a in memory cache tied to the user id claim. you will need to implement a persistent store for the refresh cache if you want it to last days

with blazor you could also cache refresh token in local storage on the browser.

another approach, is your webapi trusts your front-end site. the frontend would use its service account to get the access token to call the webapi. The user id would be part of the payload.

the main understanding of blazor server, is that there is one web request to setup the hub, and this hub is used to update the UI. the server code has access to httpcontext of the original request that started the hub, but its stale. it is only updated if the blazor app exits and is restarted. your blazor server code in running in that original http request context. the cookie is the cookie at the start of the request. all cookie data can expire. the only way to update the cookie is to reload the blazor app.

just think of blazor server as a long running web request that may take days to complete. the blazor app runs in this request. the blazor server code can do anything a normal web request code can do.

Kevin Azure 141 Reputation points

2023-05-07T16:57:19.9733333+00:00

Thanks - but that was too much options to comprehend.

What is your suggestion instead of AddInMemoryTokenCaches() to persist access token & refresh token in web application?
Sign in to comment

Share via

Cookie & Blazor Server-side

2 answers