[Blazor][Wasm] Set oidc Authentication Options in local storage

[StPaulis]

Packages Version="3.2.0-preview3.20168.3"

I have just implemented the oidc authentication in a Client Side Blazor application according to the documentation.

Problem

The problem is that the oidc response is saved in the session storage by default and I haven't find a way to configure it.

Suggestion

I would like to have an option to choose the Storage Type ('session' or 'local') when configuring the service on startup: authentication-service-support.

Something like this :

services.AddOidcAuthentication(options =>

            {

                options.ProviderOptions.Authority = frontEndOptions.AuthorityUrl;

                options.ProviderOptions.ClientId = frontEndOptions.UiClientId;

                options.ProviderOptions.DefaultScopes = frontEndOptions.Scope.Split(' ');

                options.ProviderOptions.PostLogoutRedirectUri = frontEndOptions.PostLogoutRedirectUrl;

                options.ProviderOptions.RedirectUri = redirectUrl;

                options.ProviderOptions.ResponseType = "id_token token";

                // The line below is the suggestion
                **options.ProviderOptions.StorageType = "local";** 

            });

[blowdart]

Why do think it's a problem to have it in session? Putting tokens in local storage can expose your token to more risk.

[StPaulis]

Because while in session, I have to authenticate every time I open a new tab, and I would like to have the option to keep it in local storage for some applications

[xrkolovos]

Maybe, it would also be nice if we can store it in a cookie, there are some scenarios(with files access) that is useful.

[javiercn]

@StPaulis thanks for contacting us. As @blowdart mentions it, we chose session storage because it limits the exposure of the token.

In preview4 we will authenticate the user when the app starts, so you won't have to actively authenticate every time, since after you've done it the first time, it will happen silently and automatically for the rest of the apps when you open a new tab.

[xrkolovos]

@javiercn can you explain how this will happen?
By sharing the session storage across tabs?
By redirecting the user to the Identity Server and back?
Something else?

Is this tracked in an other issue, since it is for preview4?

Why don't give the user the option to choose? All the oidc javacript libs let you choose your storage type.

@blowdart What is that more risk? (XSS applies for both of them, right?)

[javiercn]

By performing a silent sign-in when the app starts, which happens inside a hidden iframe.
This is tracked on a separate issue. This was done here

@blowdart What is that more risk? (XSS applies for both of them, right?)
The token is persisted across browser sessions which gives makes it much easier to be leaked.

Why don't give the user the option to choose? All the oidc javacript libs let you choose your storage type.

Because it adds more concepts that we need to explain users and increases the complexity of the package as well as the testing cost, and we think the ROI is low.

[ghost]

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.