Opaque (reference) access token guidance#36588
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive guidance for handling opaque (reference) access tokens in ASP.NET Core Blazor Web Apps with OIDC authentication, addressing issue #36422. The documentation explains when opaque tokens are supported by default and provides a starting-point implementation for scenarios requiring custom token validation.
Key Changes
- Explains that AddOpenIdConnect inherently supports opaque tokens for basic authentication scenarios without additional configuration
- Documents the limitation when opaque tokens need to be validated by services using AddJwtBearer
- Provides a custom AuthenticationHandler implementation as a starting point for developers who need to validate opaque tokens via introspection endpoints
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Luke Latham <1622880+guardrex@users.noreply.github.com>
guardrex
force-pushed
the
guardrex/blazor-oidc-opaque-access-tokens
branch
from
b071c5a to
8b16fd9
Compare
|
Hi @guardrex nice work. If you are making docs about introspection, I think you should mention something about the revocation endpoint and that when using reference tokens, these are typically invalidated on a logout event using the revocation endpoint. |
Agent-Logs-Url: https://github.com/dotnet/AspNetCore.Docs/sessions/d0e56126-9c6f-4bb1-a830-594eae2798c2 Co-authored-by: guardrex <1622880+guardrex@users.noreply.github.com>
This comment was marked as resolved.
This comment was marked as resolved.
…ithub.com/dotnet/AspNetCore.Docs into guardrex/blazor-oidc-opaque-access-tokens
|
@halter73 ... There was considerable churn (nine commits) while updating this. It's best if you look at the latest version of the PR to determine if the updates are sane. Unfortunately, I can't squash the nine commits into one because the Copilot commit was a merge commit. |
|
@damienbod ... Would you review the updates? Stephen might be unavailable right now, and this PR is very close to being ready to merge. If you'll review the last couple of updates that I made per your suggestions, I'll ask Wade to look things over after that, and these updates can be published. |
|
LGTM, just adds 2 comments |
|
Thanks @damienbod! ... The NOTE is obviously going to be for advanced devs. I have nothing in our doc set that I can cross-link for that approach. |
Co-authored-by: Luke Latham <1622880+guardrex@users.noreply.github.com>
|
@wadepickett ... @halter73 has gone MIA again! 😆 He's probably buried in code somewhere! I made all of his suggested updates, and @damienbod reviewed (thx again, Damien! 🙏). I think we're in good shape thus far. If we get your suggestions addressed, we can merge this. No rush tho ... it doesn't have to be today ... or even this week for that matter. |
halter73
left a comment
halter73
left a comment
There was a problem hiding this comment.
Only stage, and if you think it's good to go, feel free to leave no comments and tell me
|
I think this all looks good to merge. Sorry for all the repeated/stale review content! I should have noticed that before posting. |
Fixes #36422
cc: @mikekistler
Stephen ... I hacked some nasty 🦖 code 🙈😆 with the help of AI to give you an idea of what I have in mind for the bits that call the auth server to validate the token.
Apparently, Entra doesn't support opaque access token validation, per this MS answer as of 2023 and a local test that I just ran here with Entra.
I originally had this in the BWA-OIDC article, but it's more general than that, so I just moved it to the additional scenarios article and cross-linked to it there from a few spots.
Internal previews