Refresh tokens in an ASP.NET 9 Blazor web app

dag.baardsen · June 15, 2025, 1:34pm

I have managed to get an access token in my web app, and I guess I am able to retrieve a refresh token, too, but how do I store the refresh token securely, and how do I use it when my access token expires? I am on ASP.NET 9, using this wiring:

builder.Services.AddAuth0WebAppAuthentication(options =>
{
    options.Domain = builder.Configuration["Auth0:Domain"]!;
    options.ClientId = builder.Configuration["Auth0:ClientId"]!;
    options.ClientSecret = builder.Configuration["Auth0:ClientSecret"];
    options.Scope = "openid profile email offline_access";
})
.WithAccessToken(options =>
{
    options.Audience = builder.Configuration["Auth0:Api:Audience"];
    options.UseRefreshTokens = true;
});

builder.Services.ConfigureApplicationCookie(options =>
{
    options.ExpireTimeSpan = TimeSpan.FromDays(30);
    options.SlidingExpiration = true;
    options.Cookie.IsEssential = true;
    options.Cookie.HttpOnly = true;
    options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
    options.Cookie.SameSite = SameSiteMode.Lax;
});

lafayette.duarte · June 16, 2025, 12:30pm

Hi there.
here, depends on how your blazor app is built.
Duende Software ( the ppl who created and maintains IdentityServer) have a OSS Clibrary that helps with this scenario and others and its quite handy.

Now, the depends part:
if you are using Blazor server, this doc would help you:

" Since the tokens cannot be managed in the authentication session, you need to store them somewhere else. The options include an in-memory data structure, a distributed cache like redis, or a database. Duende.AccessTokenManagement describes this store for tokens with the IUserTokenStore interface. In non-blazor scenarios, the default implementation that stores the tokens in the session is used. In your Blazor server application, you’ll need to decide where you want to store the tokens and implement the store interface."
Blazor Server Access Token Management | Duende Software Docs

If you are using blazor as a SPA, it should be a public client.
this may point you to the right direction on this scenario ( event tho is a MsEntra article, the principle stands):
Secure an ASP.NET Core Blazor Web App with Microsoft Entra ID | Microsoft Learn

Be careful and when using public clients ( there is a whole thing on the security side of things).
More on the IETF Website:
OAuth 2.0 for Browser-Based Applications

And here for an auth0 article on BFF :
Backend For Frontend Authentication Pattern with Auth0 and ASP.NET Core

Topic		Replies	Views
Refresh Token is not sent to Blazor Server application Get Help connections , google-social-connection	0	145	July 29, 2024
Call Protected APIs from a Blazor Web App Blog Discussions api , blazor , web-app	27	1617	February 8, 2025
Auth0-aspnetcore-authentication "UserRefreshToken = true;" is not refreshing tokens in Blazor Server Get Help sessions , rotating-refresh-tokens	18	355	April 4, 2025
Blazor App not getting refresh token Get Help connections , google-social-connection	11	1644	September 27, 2023
How to resume session after browser is closed then re-opened Get Help net-core	3	3558	December 27, 2022

Refresh tokens in an ASP.NET 9 Blazor web app

Related topics