daohualiuxiang
/
AspNetCore.Docs
mirror of https://github.com/dotnet/AspNetCore.Docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Nonce update for token refresh (#32081)

pull/32068/head
Luke Latham 2024-03-19 11:16:59 -04:00 committed by GitHub
parent bc8e0dfe75
commit c82db3ac5a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
aspnetcore/blazor/security/blazor-web-app-with-oidc.md
View File

@ -570,6 +570,14 @@ The important changes to the `LogInOrOut` component are demonstrated in the foll
</div>
```
## Cryptographic nonce
A *nonce* is a string value that associates a client's session with an ID token to mitigate [replay attacks](https://developer.mozilla.org/docs/Glossary/Replay_attack).
If you receive a nonce error during authentication development and testing, use a new InPrivate/incognito browser session for each test run, no matter how small the change made to the app or test user because stale cookie data can lead to a nonce error. For more information, see the [Cookies and site data](#cookies-and-site-data) section.
A nonce isn't required or used when a refresh token is exchanged for a new access token. In the sample app, the `CookieOidcRefresher` (`CookieOidcRefresher.cs`) deliberately sets <xref:Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.RequireNonce?displayProperty=nameWithType> to `false`.
## Troubleshoot
[!INCLUDE[](~/blazor/security/includes/troubleshoot-server.md)]