Auth0-aspnetcore-authentication "UserRefreshToken = true;" is not refreshing tokens in Blazor Server

Here is the TL;DR version: When adding the setting UserRefreshToken = true; to Program.cs (see the larger code snippet at the bottom of this page for more detail), what exactly is the behavior supposed to be within an AspNetCore based application? Automatic refresh does not appear to be the case in a Blazor Server application.

Posted similar question/comments on a closed issue for the auth0-aspnetcore-authentication sdk focusing on the follow:

The refresh token does not automatically refresh correctly when using UseRefreshTokens = true.

This issue has been long closed after the reporter submitted as PR and it was accepted and merged (April 2022).

However, the token’s lack of being refreshed is still my experiences in the context of a Blazor Server application. I am leaning heavily into this is a “I’m doing it wrong” and/or “I misunderstand how this works” rather than this is a bug that needs to be fixed within the Auth0-AspNetCore-Authentication sdk.

Let me add context, I have tried to simplify what I am doing by using the Blazor Sample App, and still no refreshing of tokens occurs.

Maybe my expectations are wrong… Using the sample app, and with the Auth0 Tenant Application settings, I am setting my application Id Token Expiration to a low value, say 60 seconds, and the Refresh Token Expiration to similar value, the token’s never refresh. I see the same JWT and refresh token after the expiration date on the /Profile page (edited to show all Id, Access, and Refresh tokens). I would expect that while using the app, it would automatically refresh the token at some point, and if I’m idle, I would expect the app to force me to reauthenticate if I try to access the site, or navigate around, beyond those expiration times.

I have also setup an API in Auth0 to be able to add in an Audience in the Program.cs setup, and to set a shorter Access Token as I wondered if somehow the Access Token’s expiration time would come into play. That seems to have no affect, other the providing another expiry time in a token.

I have noticed, that once I surpass the Maximum Refresh Token Lifetime as set in Auth0, a hard refresh of the Profile page in the sample app continues to give me the original ID and Access tokens, but now the refresh token is blank…

I am assuming, at this point, that I am misunderstanding what the SDK is supposed to do when adding the line options.UseRefreshTokens = true; to the Program.cs setup. This blog post also seems to indicate that the line should provide some sort of automation of the refresh process. I and thinking what needs to occur is an integration of the Auth0.AuthenticationApi SDK and manually setup the token refresh if there is activity and the token is nearing expiration. If that is the case, then it seems I should reduce dependencies and roll a more custom implementation with the Authentication API for login, logout, and token management.

Anyway, what is this line supposed to actually do within the Blazor Server Sample App, or a Blazor Server app in general? Perhaps the lack of a more dedicated .net core based API does not initialize the automated code within this sdk?

...
builder.Services.AddAuth0WebAppAuthentication(options =>
{
    options.Domain = builder.Configuration["Auth0:Domain"];
    options.ClientId = builder.Configuration["Auth0:ClientId"];
    options.ClientSecret = builder.Configuration["Auth0:ClientSecret"];
    options.Scope = "openid profile email";
}).WithAccessToken(options =>
{
    options.Audience = builder.Configuration["Auth0:Domain"];
    options.UseRefreshTokens = true;  <--- This is supposed to do what, beyond giving me a refresh token?
});

Hi @jeffcodes

I would recommend you to review the following article regarding securing Blazor Apps:

• How to Secure Blazor WASM Applications with Auth0

You might be missing this piece of code inside the Client folder in the Program.cs file:

builder.Services.AddOidcAuthentication(options =>
{
  builder.Configuration.Bind("Auth0", options.ProviderOptions);
  options.ProviderOptions.ResponseType = "code";
});

You can also check if you are not using the Implicit Flow since that does not support refresh tokens.

Let me know if this solves the issue or if you have any other questions!

Kind Regards,
Nik

I’ll read through this again. We have a Blazor Server app, not web assembly, so some of the scaffolding here is different.
Will read up on the implicit flow stuff as well. Thanks.

Hi @jeffcodes

Sorry for the late reply! I will keep investigating the matter regarding refresh tokens for the Blazor Server, as far as I have investigated, the UserRefreshToken = true should do the trick for most .NET or Blazor applications, regardless of them being web apps or servers, I presume it might be a matter of the application not being considered secured and that is why the refresh tokens do not rotate or are not visible.

I will post some useful info as soon as possible regarding the matter, if you have updates of your own, please feel free to post them here if necessary!

Kind Regards,
Nik

I do appreciate it. I had to switch to some other stuff, but will come back to this. Honestly, I have a gut suspicion it is in my setup. The only thing that makes me even question that is that I cannot get it to work with the sample app from Auth0 either.

If I come up with anything, I will certainly come back with that information here.

Hi again.

I found some possible references to the matter, I am not quite sure if you have reviewed these yet:

• GitHub - akhanalcs/blazor-api-auth0: Sign in users and call a protected API from a Blazor Server app.
• Use Refresh Tokens in ASP.NET Core Apps
• auth0-aspnetcore-authentication/EXAMPLES.md at main · auth0/auth0-aspnetcore-authentication · GitHub
• auth0-aspnetcore-authentication/EXAMPLES.md at main · auth0/auth0-aspnetcore-authentication · GitHub

You mentioned about trying out our sample app and refresh tokens did not work there either, was the sample app the one references above by any chance?

Also, I noticed that for your options.Audience you seem to be passing Auth0:Domain. I am not 100% familiar with .NET or Blazor applications, however, I believe it should be something like options.Audience = Configuration["Auth0:Audience"]; as mentioned in this community post.

Also, are you using a custom API by any chance and are you passing in the correct audience inside your implementation?

Kind Regards,
Nik

Thank you, again, so much. I will review when I get a chance.
I was passing in the Audience. Passing in the domain was a suggestion from someone else I just tried before posting. Good catch.

Hey @jeffcodes,
I’m not sure if you solved your problem with refresh tokens.
Just wanted to confirm that Blazor Server apps are ASP.NET Core applications, and the instructions in this article still apply.

Take a look at the sub-section “Adjust the token expiration tolerance” in that article. You may experience some delay in your development environment due to the token expiration calculation.

I hope this helps.

@nik.baleca

Thanks for all the help, both of you. I have gone through all things provided by you two within our application, and most of it within the sample Blazor App provided by Auth0, and none of these result in the token being refreshed. I am able to receive the refresh token; however, nothing I have tried leads to refreshing the ID or Auth tokens.

@andrea.chiarelli, I have gone through your article a number of times you linked as well. We are hitting a PowerBI API, and a local database through a service layer that I can set-up to look like an API, so I can follow your steps more closely to get the token refreshed; however, I am still unable to get a refresh.

At this point, I have abandoned trying to further integrate a more automated solution using Auth0 and have written a custom solution do some of the work that this was intended to do as we are facing a deadline that cannot be moved.

The documentation you write, @andrea.chiarelli, has helped me with a number of things, and Auth0’s documentation overall has been great. I do appreciate the help. There is clearly something within my implementation or understanding that prevents me from making this all work.

It would be great if Auth0 could provide a fully fledged Blazor Server sample app that you know works for sure simply by uncommenting some code in the Program.cs file to use the Refresh tokens, and entering in the ID’s and values form a users Auth0 tenant in the appsetting.json file. If the instructions you have listed are as simple as you have written, then it seems like it would be a pretty simple addition to your Blazor Sample App, noted above.

I am also having this issue with my Blazor Server application. My server app hits an API that is hosting a hub connection used for chatting with users of another application. In my program.cs I have a call to .WithAccessToken and set the options.UseRefreshTokens = true in the setup.

@andrea.chiarelli I followed the document you linked, ensuring I had everything enabled on the Auth0 side.

The issue that is occurring is that the API token is expiring and is not refreshing once expired. The only way to get a new token, it seems, is to log out or clear the security cookie. So given the TTL on the auth for the server app, the user comes back and is not required to sign in. The associated access_token is pulled from claims when initializing the hub connection and has expired.

So I guess the question is, what is the mechanism that triggers the refreshing of the API access token? Is it part of the OIDC backchannel communications that occur, or does there need to be some kind of event handler/token provider put in place to call the Auth0 API to obtain a new token?