Blazor WebAssembly expired session

sean.feldman · April 25, 2022, 4:50pm

When specifying a session timeout with Auth0, is there any documentation on how to set up the client-side to respect it? I’ve used this post as a reference but it doesn’t cover that aspect.

Currently, when the session expires, the application fails to perform calls to the backend but what I’d like to achieve is to kick it to the main page. Also, I thought the CascadingAuthenticationState element wrapping the Router would get triggered but it seems like it allows the stale page to continue working.

A silent error logged:

blazor.webassembly.js:1 crit: Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]
      Unhandled exception rendering component: ''
Microsoft.AspNetCore.Components.WebAssembly.Authentication.AccessTokenNotAvailableException: ''
   at Microsoft.AspNetCore.Components.WebAssembly.Authentication.AuthorizationMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at Tva.Client.Infrastructure.BlazorDisplaySpinnerAutomaticallyHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.SendAsync(HttpRequestMessage , CancellationToken )
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage , HttpCompletionOption , CancellationTokenSource , Boolean , CancellationTokenSource , CancellationToken )
   at Tva.Client.Pages.redacted.Services.IdentityService.GetAllUser()
   at Tva.Client.Pages.Users.OnInitializedAsync()
   at Microsoft.AspNetCore.Components.ComponentBase.RunInitAndSetParametersAsync()
   at Microsoft.AspNetCore.Components.RenderTree.Renderer.GetErrorHandledTask(Task , ComponentState )

sean.feldman · April 25, 2022, 4:50pm

@andrea.chiarelli is this something you’d be able to help with? Thank you.

andrea.chiarelli · April 26, 2022, 2:52pm

Hi @sean.feldman,
Not sure if this fixes your problem, but have you tried to catch the AccessTokenNotAvailableException and redirect the user to the authentication page?

The AccessTokenNotAvailableException has a Redirect() method for this.
Take a look at this document to learn more.
Let me know if it works.

sean.feldman · April 27, 2022, 7:51am

Thank you for your prompt response, @andrea.chiarelli

AccessTokenNotAvailableException is great for one-off handling. With the application handling HTTP calls almost on every page, I was wondering if there’s something more global. Not to mention that a page that is sitting and not talking over HTTP will not “lock out”.

andrea.chiarelli · April 29, 2022, 2:54pm

Hey @sean.feldman,
I would distinguish the UI case ("a page not talking over HTTP ") from the HTTP calls.

I would expect that the UI case is handled by the <AuthorizeView>. Doesn’t it?

Regarding the HTTP calls, I don’t know if you can use the <ErrorBoundary> component to catch this type of exception globally. I never used it.

However, as far as I know, very specific exceptions such as AccessTokenNotAvailableException should be handled locally. Global exception handling should be used only for generic or unhandled exceptions.

sean.feldman · May 30, 2022, 2:16am

I would expect that the UI case is handled by the <AuthorizeView> . Doesn’t it?

It doesn’t. When a session is timing out, the page stays as-is. If there’s any action on the page that is invoking API, that call times out and an exception is thrown but no redirection to a login page.