Opaque (reference) access token guidance#36588
Open
guardrex wants to merge 23 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive guidance for handling opaque (reference) access tokens in ASP.NET Core Blazor Web Apps with OIDC authentication, addressing issue #36422. The documentation explains when opaque tokens are supported by default and provides a starting-point implementation for scenarios requiring custom token validation.
Key Changes
- Explains that AddOpenIdConnect inherently supports opaque tokens for basic authentication scenarios without additional configuration
- Documents the limitation when opaque tokens need to be validated by services using AddJwtBearer
- Provides a custom AuthenticationHandler implementation as a starting point for developers who need to validate opaque tokens via introspection endpoints
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
guardrex
commented
May 19, 2026
guardrex
commented
May 19, 2026
guardrex
commented
May 19, 2026
guardrex
commented
May 19, 2026
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Luke Latham <1622880+guardrex@users.noreply.github.com>
guardrex
force-pushed
the
guardrex/blazor-oidc-opaque-access-tokens
branch
from
b071c5a to
8b16fd9
Compare
halter73
reviewed
May 22, 2026
damienbod
reviewed
May 26, 2026
Contributor
|
Hi @guardrex nice work. If you are making docs about introspection, I think you should mention something about the revocation endpoint and that when using reference tokens, these are typically invalidated on a logout event using the revocation endpoint. |
Agent-Logs-Url: https://github.com/dotnet/AspNetCore.Docs/sessions/d0e56126-9c6f-4bb1-a830-594eae2798c2 Co-authored-by: guardrex <1622880+guardrex@users.noreply.github.com>
This comment was marked as resolved.
This comment was marked as resolved.
…ithub.com/dotnet/AspNetCore.Docs into guardrex/blazor-oidc-opaque-access-tokens
Collaborator
Author
|
@halter73 ... There was considerable churn (nine commits) while updating this. It's best if you look at the latest version of the PR to determine if the updates are sane. Unfortunately, I can't squash the nine commits into one because the Copilot commit was a merge commit. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #36422
cc: @mikekistler
Stephen ... I hacked some nasty 🦖 code 🙈😆 with the help of AI to give you an idea of what I have in mind for the bits that call the auth server to validate the token.
Apparently, Entra doesn't support opaque access token validation, per this MS answer as of 2023 and a local test that I just ran here with Entra.
I originally had this in the BWA-OIDC article, but it's more general than that, so I just moved it to the additional scenarios article and cross-linked to it there from a few spots.
Internal previews