Thank you for reponse, I will try to clean up some things:
- I’m using Blazor Server (Interactive render), saving tokens into cookies (through HttpContext.StoreTokens) is default behavior when using Microsoft OIDC provider. I guess it’s pretty save bet taking into account that it’s protected by IDataProtection api.
It’s a good practice to validate tokens when you get them from outside your app. You don’t know what happened to them while they were out of your control.
I got you, the only downside I’m seeing with this approach is performance when we are sending requests every time we check user authorize state with “AuthorizeView” component or “Authorize” attribute.
As stated in the OIDC specs, “the ID Token expiration time is unrelated the lifetime of the authenticated session between the RP and the OP ”.
Damn, that’s key sentance I missed, thank you for pointing this out. In my case I’m the owner of oidc server, apis and client apps, so I can assume that access token format will not change.
Not sure about the Microsoft example. Honestly, I don’t see the need to store the access token in the cookie (see the article I mentioned earlier)
Hmm, interesting can’t wait for new article tommorow then 
Token management seems to be pretty undone in new blazor as even microsoft docs have this page as “TODO”
Token Management microsoft docs
For anyone encountering a similar error after integrating UserManager.cs:
System.InvalidOperationException Message= IDX20803: Unable to obtain configuration from: ‘https://<YOUR_AUTH0_DOMAIN>/.well-known/openid-configuration’
I resolved this issue by downgrading the IdentityModel.OidcClient.IdentityTokenValidator package from version 6.0.0 to version 5.2.1. After making this change, everything worked as expected.
1 Like
Hey @johannesschliesser, thank you for sharing 
Thanks for these posts. I’ve been learning a lot about how this stuff works.
Now that it’s 2025, and the IdentityModel.OidcClient.IdentityTokenValidator package is deprecated and no longer available:
With the removal of Hybrid Flow support from (Duende.)IdentityModel.OidcClient, it is not necessary anymore to validate id_tokens. However, You can still do you own validation via our extensibility points if desired.
How should I amend the code in this tutorial? Just skip the id token validation code? Or is there a different method I can use to valid the id token?
Thanks!
I found the workaround.
Instead of IdentityModel.OidcClient.IdentityTokenValidator, install the newer package called Duende.IdentityModel.OidcClient. It does not have the deprecated IdentityTokenValidator in it, but it does have NoValidationIdentityTokenValidator that uses the same Interface. It doesn’t actually perform validation beyond making sure the token is a valid jwt, but it can be a drop-in replacement for the demo code as it returns the needed information about the identity token.
I found that the NoValidationIdentityTokenValidator does absolutely nothing with the options parameter on ValidateAsync, so I was able to remove unneeded code (including an extra http call) and make UserManager.GetAuthenticatedUser() look like this:
public async Task<ClaimsPrincipal?> GetAuthenticatedUser()
{
ClaimsPrincipal? user = null;
var idToken = await SecureStorage.Default.GetAsync("id_token");
if (idToken != null)
{
var validator = new NoValidationIdentityTokenValidator();
var validationResult = await validator.ValidateAsync(idToken, null);
if (!validationResult.IsError) user = validationResult.User;
}
return user;
}
The options parameter for ValidateAsync is required for the Interface even though it isn’t used in the implementation, so I just pass null.
Hi @norbythegeek,
Thank you for your feedback. I’ll go through the sample project and update it in the next few weeks. Thanks again 