Blazor browser storage: The way to go for authentication cookies?

[hhhuut]

Hi everyone,

So the current Blazor preview includes Protected Browser Storage ( #18755 ).

My question would now be: Is this the desired way to go from now on to save authentication cookies?

At least for Blazor Server, previously to this, you were only able to store authentication data for the lifetime of the circuit (through a combination of ServerAuthenticationStateProvider and IHostEnvironmentAuthenticationStateProvider), but that state is lost as soon as the user manually refreshes the page or closes that tab/window.
There are several workarounds, like calling a JS interop that writes the cookie, or using a .cshtml as the login page so the regular HTTP pipeline can send/receive cookies, but both of them are somewhat tedious.

Looking forward to your opinions on this.

[SteveSandersonMS]

My question would now be: Is this the desired way to go from now on to save authentication cookies?

No. If your server issues authentication cookies, they should be stored as regular cookies, as they would be by default.

Did you try out the built-in auth-enabled project templates? These provide suggested ways of tracking authentication state.

[hhhuut]

Did you try out the built-in auth-enabled project templates?

I'm afraid I don't really know what you're referring to so I'd be grateful if you could nudge me in the right direction.

To provide a little background, I'm currently doing some tests for an administration panel for which I've already implemented a custom RevalidatingServerAuthenticationStateProvider to periodically check/rewrite the Claims the current user has so the UI can react to that (i.e. using AuthorizeView).
I know how to do do authentication in a regular ASP.NET Core 3 application using a controller, but I'm at a loss at how to tie that in with my Blazor app, persisting the authentication between browser sessions and still being able to periodically update the ClaimsPrincipal while preventing page reloads for that.

EDIT:

Did you try out the built-in auth-enabled project templates?

Ugh yeah it was late and my brain not active anymore, sorry. I now had a look at the individual user account template in VS, however that uses a .cshtml file in conjuction with SingInManager which, as described above, ideally I want to avoid and SignInManager<TUser> and UserManager<TUser> aren't supported in Razor components. according to the docs.
As I've said in my original post, I know that the workaround through .cshtml files exist, however I don't see how I can automatically update a ClaimsPrincipal's Claims without redirecting to login again (since that's the only place to update cookies) so I thought maybe with the upcoming Protected Browser Storage it is possible to circumvent that and implement a Blazor-only solution to this.

[SteveSandersonMS]

I see - thanks for clarifying. In summary then I'd say that ProtectedBrowserStorage is completely unrelated to the auth system and most likely isn't involved in anything you're doing to maintain auth state. You don't need to store auth tokens or cookies inside ProtectedBrowserStorage because auth tokens/cookies are already designed to be passed to the client in particular ways (e.g., auth cookies are passed as cookies).

[hhhuut]

Thanks for the summary. I've marked your post above as the answer and I guess I'll return back to .cshtml files for authentication for now.