In Blazor WASM with with Open ID Connect how can you force an Auth/ID Token refresh

[baynezy]

I have a Blazor WASM app integrated with my IdP via Open ID Connect. There are custom claims that we need that are stored in the ID Token and Auth Token. This all works fine in the most part. However, there are a couple of expected situations where a particular process will update source data for these and so the data in the tokens has become stale. So in the app I would like to force the refreshing of these tokens from the IdP so they have the latest information.

I have tried, unsuccessfully, to find how to so this. However, my Google-fu must be off as I have not found anything that even points me in the right direction.

If it is relevant I am using .Net 8 and my IdP is Auth0.

Anyone have any pointers?

[josephdecock]

You should use the OIDC userinfo endpoint to get claims about the user, and you can do that on demand (it is just another OAuth resource, so your access token gives you access to the endpoint).

A bigger concern though is that your tokens should not be stored in a location that JavaScript can reach them, as this means that an injection attack can exfiltrate tokens. Historically, this kind of attack has been among the most common attacks against applications using OAuth and OIDC. To defend against this, you need a server process (usually called the backend for frontend or BFF) to perform protocol flows, session management and store tokens.

[josephdecock]

See OAuth for Browser Based Apps from the IETF for more details on the security implications of tokens in the browser.

[baynezy]

So are you saying that JWT authentication is fundamentally broken for SPAs?

[josephdecock]

OAuth tokens being stored in the frontend is a pretty dangerous thing to do. Here's a great talk on the subject by Philippe de Ryck (he's a security researcher, and contributor to OAuth standards): https://www.youtube.com/watch?v=OpFN6gmct8c

[baynezy]

So why then does MS offer JWT authentication at all? Other than adding some custom claims I am using the vanilla set up.

[josephdecock]

Well, ultimately I don't speak for Microsoft. As a member of the community who cares a lot about identity and security and works on these issues full time, I'm sharing my opinions and the standards and research that they're based on.

In my view, it would be helpful if the MS documentation took a firmer stance against tokens in the browser, and in favor of the BFF pattern.

The blazor-samples repo does actually have samples using the BFF pattern, and there is some MS documentation that uses the pattern.