Thank you for reponse, I will try to clean up some things:
- I’m using Blazor Server (Interactive render), saving tokens into cookies (through HttpContext.StoreTokens) is default behavior when using Microsoft OIDC provider. I guess it’s pretty save bet taking into account that it’s protected by IDataProtection api.
It’s a good practice to validate tokens when you get them from outside your app. You don’t know what happened to them while they were out of your control.
I got you, the only downside I’m seeing with this approach is performance when we are sending requests every time we check user authorize state with “AuthorizeView” component or “Authorize” attribute.
As stated in the OIDC specs, “the ID Token expiration time is unrelated the lifetime of the authenticated session between the RP and the OP ”.
Damn, that’s key sentance I missed, thank you for pointing this out. In my case I’m the owner of oidc server, apis and client apps, so I can assume that access token format will not change.
Not sure about the Microsoft example. Honestly, I don’t see the need to store the access token in the cookie (see the article I mentioned earlier)
Hmm, interesting can’t wait for new article tommorow then 
Token management seems to be pretty undone in new blazor as even microsoft docs have this page as “TODO”
Token Management microsoft docs