Managing Tokens in .NET MAUI

Blog Discussions
21

Well, not easy questions. I’ll try to do my best :slightly_smiling_face:

  1. It’s a good practice to validate tokens when you get them from outside your app. You don’t know what happened to them while they were out of your control.
    You mention “when we getting id token from cookies”. I’m not sure I correctly understand this. In what scenario are you storing an ID token in a cookie? What application type? A SPA?
    In general, you shouldn’t store a token in a cookie. In fact, you shouldn’t store a token anywhere when the application is a SPA. Take a look at this article to learn more.

  2. An ID token tells you that a user has been successfully authenticated. It optionally contains info about the user. As stated in the OIDC specs, “the ID Token expiration time is unrelated the lifetime of the authenticated session between the RP and the OP”. In other words, the ID token expiration time is unrelated to the authenticated session lifetime.
    You might think that you can use the access token’s expiration time as a reference for the session length and to decide to refresh the tokens, but there are some considerations to take into account:

    • As with the ID token, the access token’s expiration time tells you that the authorization info it contains are no longer valid. You can decide to terminate your authenticated session now or request a new access token or do whatever. It’s up to you and your session management policy.
    • The biggest problem is: how can you be sure that the access token has expired? On the client side, you cannot. The access token (and its format) is an agreement between the authorization server and the resource server (typically, the API). The client should NEVER inspect an access token, because its format can change without notice.
      The only way to know that an access token has expired should be after you have used it and got an “access denied” response from the API.
      Not sure about the Microsoft example. Honestly, I don’t see the need to store the access token in the cookie (see the article I mentioned earlier) :thinking:
      If you are interested in dealing with ID and access tokens in Blazor (.NET 8), you can read this article for adding authentication and a new one about calling protected APIs will be published tomorrow.

For more details on ID and access tokens, you can read this article.
For the relationship between sessions and tokens, you can read this article

I hope this helps.