Blazor new AuthenticationState - consider event for expiry

[dazinator]

Is your feature request related to a problem? Please describe.

Task<AuthenticationState> is a new cascading parameter in blazor apps that allows downstream components access to the current authentication state of the user.

In my blazor client application, users authentication sessions have a sliding expiry.

When the user's session expires, I'd like all downstream components to be notified that the authentication state has changed, so that they have an option to re-render - potentially an "unauthenticated view" for their content.

Today, I can implement a custom AuthenticationStateProvider that returns the AuthenticationState based on my own 3 minute sliding cache of the users JWT token - and this works fine - the downstream components get the AuthenticationState and the user is either authenticated or not authenticated.

However, suppose the user is initially authenticated, but then after doing nothing on the site for 3 minutes, their authentication token expires. My custom authentication mechanism is able to raise an event when this happens, and my AuthenticationStateProvider will now return an unauthenticated principle when it is next asked for the AuthenticationState. However downstream components are not able to be notified that the authentication state has Jjust changed - instead they must each poll the cascaded Task<AuthenticationState> periodically. Having each component poll is not very efficient, and depending on the timing of each poll, some components may detect and re-render before others resulting in a bit of a haphazzard UI.

I've considered tying

Describe the solution you'd like

What I'd like to see is a way for downstream components to be notified of authentication state change, in a way that doesn't require them to poll.

Describe alternatives you've considered

I've considered injecting a custom service into each downstream component, that bypasses AuthenticationStateProvider and directly couples them to my JWT token management system, which will notify them when the JWT token expires. I don't like this because it couples otherwise reusable components to my specific authentication mechanism. Even if I injected a generic Event / Message Bus / IPubSub service to decouple the components from my specific authentication mechanism, id still then be coupling them to that service. If I wanted to re-use those components in other apps, they's have to also adopt whatever service that was. This feels nasty,

[campersau]

You can override OnParametersSet or OnParametersSetAsync an check the cascading Task<AuthenticationState> parameter again.

[dazinator]

@campersau isn't that still polling? And wouldn't that require paramaters to be changing for that poll to happen? If the user left the page open for 5 minutes without doing anything on the page, how would components know to do a poll?

[dazinator]

I was thinking if AuthenticationState exposed an Expiry ChangeToken then components could subscribe (register callbacks) to that change token, and that token could be signalled in the event the authentication state expired. Then I could derive a custom AuthenticationState that signalled that change token when my jwt token expires (when JWT authentication is used in my app) and my custom AuthenticationStateProvider would return that. This would only require a small addition to AuthenticationState to add a ChangeToken. Later if users of my app logged in using new method that doesn't expire (for instance a persistent cookie) then my custom AuthenticationStateProvider would return an instance of the default AuthenticationState class, which would never trigger the expiry IChangeToken - and all of my components just stay the same, and behave like good citizens irrespective of authentication method used, they have a way to handle expiry.

[dazinator]

I have noticed that the AuthenticationStateProvider has an AuthenticationStateChanged event!
I think.. I should be able to achieve what I want by raising this event when my jwt token expires - i'm not sure whether this will trigger components to automatically re-render with the latest AuthenticationState but i'll continue down this path.

[campersau]

Yes, that will propergate the new Task<AuthenticationState> to all components which have the cascading parameter and OnParametersSet will be called on these afterwards.

[dazinator]

@campersau ah I see how it fit's together now, thank you. I assume <AuthorizeView> works in a similar fashion. I'll close this for now as that should be sufficient for my needs!

[campersau]

@dazinator yes, it does.