Duende.AccessTokenManagement.OpenIdConnect refresh expired cookie

[njannink]

We use Duende.AccessTokenManagement.OpenIdConnect for handling the authentication of our Blazor Server app there is still a scenario that doesn't seem to work as expected.

We use cookies for authentication of image src, download links etc. I have the idea that if the cookie token is expired that this one isn't refreshed. AspNetCore has this logic for that:

https://github.com/dotnet/blazor-samples/blob/main/9.0/BlazorWebAppOidc/BlazorWebAppOidc/CookieOidcRefresher.cs

Is this taken into account aswell by Duende or should I add this refresh logic in the CookieEvents validation call?

[wcabus]

Our AccessTokenManagement library only refreshes tokens on your behalf when a call is being made using an HttpClient.

If your use case requires authentication for accessing static resources like images etc., then you would indeed need to implement logic similar to the Blazor sample you've linked to ensure that the authentication cookie is refreshed when the tokens stored inside are nearing their expiration time.

[njannink]

is there a way how I can do this using the duende API so I dont have to build the OIDC request myself like the example?

[njannink]

Is it maybe something like this? I don't see how I can build a principal from the UserToken for the context.ReplacePrincipal call.

    public override async Task ValidatePrincipal(CookieValidatePrincipalContext context)
    {
        var token = await store.GetTokenAsync(context.Principal!);
        if (!token.Succeeded)
        {
            context.RejectPrincipal();
        }

        var oidcOptions = oidcOptionsMonitor.Get(OpenIdConnectDefaults.AuthenticationScheme);
        var now = oidcOptions.TimeProvider!.GetUtcNow();
        DateTimeOffset.TryParse(context.Properties.GetTokenValue(@"expires_at"), out var expires);

        if (!(now + TimeSpan.FromMinutes(5) > expires))
        {
            var parameters = new UserTokenRequestParameters
            {
                ChallengeScheme = Scheme.Parse(OpenIdConnectDefaults.AuthenticationScheme)
            };

            var refresh = await tokenManager.GetAccessTokenAsync(context.Principal, parameters);

            if (!refresh.Succeeded)
            {
                context.RejectPrincipal();
            }

            context.ShouldRenew = true;
            // context.ReplacePrincipal(token.ToPrincipal.Somehow()!);
            / or this maybe await tokenStorage.SetUserTokenAsync(refresh.Token!, context.Properties, parameters);
        }

        await base.ValidatePrincipal(context);
    }

[wcabus]

The default implementation for IUserTokenManager may eventually call AuthenticateAsync again for the sign-in scheme, with the sign-in scheme being the cookie authentication handler. AuthenticateAsync will then again call the ValidatePrincipal method in the events, causing a loop to occur.

I don't immediately see an easy way to get there using the AccessTokenManagement library unfortunately.