AspNetCore.Docs icon indicating copy to clipboard operation
AspNetCore.Docs copied to clipboard
verified publisher icon dotnet

OIDC Solution Doesn't Work With Opaque Access Tokens

Open grochoge opened this issue 2 months ago • 3 comments

Description

As far as I can tell, the .NET OIDC implementation for a separate Web project and backend API relies on the access token being a JWT. This is not something required by OIDC and thus this solution does not work with our SSO provider.

Page URL

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-oidc?view=aspnetcore-10.0&pivots=non-bff-pattern#sample-solution

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/blazor-web-app-with-oidc.md

Document ID

c3346d3a-346b-8db4-2650-ec044b3f0dd9

Platform Id

1dd51a4e-f734-569f-f6e9-19a27bcd9f4d

Article author

@guardrex

Metadata

  • ID: c3346d3a-346b-8db4-2650-ec044b3f0dd9
  • PlatformId: 1dd51a4e-f734-569f-f6e9-19a27bcd9f4d
  • Service: aspnet-core
  • Sub-service: blazor

Related Issues

grochoge avatar Dec 02 '25 19:12 grochoge

🥳 Happy Holidays! 🍽️

Stand-by! A green dinosaur 🦖 will be along shortly to assist.

github-actions[bot] avatar Dec 02 '25 19:12 github-actions[bot]

Hello @grochoge ... Yes, I believe it is possible to setup and configure for non-JWT (opaque) access tokens. The question is if the product unit, namely our security guru @halter73, wants the article to flesh out the approach (the changes required) in a section added to the article. Stand-by for him to arrive and comment on this.

guardrex avatar Dec 02 '25 19:12 guardrex

Update: We're still waiting for a response. Stephen might be OOF at the moment.

guardrex avatar Dec 09 '25 16:12 guardrex

Here's the issue tracking ASP.NET core support for opaque (reference) token validation: https://github.com/dotnet/aspnetcore/issues/46026

It's currently in the backlog, but it could be reprioritized based on user feedback. Using the OIDC introspection endpoint is simple enough, a custom AuthenticationHandler that validates an opaque token might make a good sample for https://learn.microsoft.com/aspnet/core/security/authentication independent of any Blazor work.

AddOpenIdConnect by itself already supports opaque tokens due to the fact it doesn't do any access token validation itself when configured to do the authorization code flow. It relies on the ASP.NET Core server's HTTPS backchannel to the OIDC authentication service to get ID token using the authorization code received when the user redirects back to the ASP.NET Core app after signing in. So, if all you're trying to do is log a user in with OIDC so you can get a valid authentication cookie, opaque access tokens should work already. It's only if you're then passing the access token acquired by AddOpenIdConnect to another service and attempting to validate it with AddJwtBearer that's a problem. @grochoge were you aware of this? Do you need to validate the token outside of your Blazor app?

halter73 avatar Dec 17 '25 03:12 halter73