Add .NET server_token_refresh sample#30
Merged
Merged
Conversation
…notes Code review caught that RefreshTokensAsync fetches the discovery document on every refresh call. For a teaching sample that's fine, but readers copying the pattern to prod would eat an extra round-trip per refresh. README production-notes now says so. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds a new .NET server_token_refresh sample demonstrating refresh-token handling with ASP.NET Core cookie auth + OpenID Connect, aligned with the existing Node scenario.
Changes:
- Added
samples/dotnet/token-refreshsample app implementing manual refresh (POST /refresh) and auto-refresh viaCookieAuthenticationEvents.OnValidatePrincipal. - Added an integration test project for the new sample with a fake token/discovery endpoint handler.
- Wired the new .NET scenario into the repo’s snippet and scenario manifests (
snippets.json,snippet-manifest.yaml,samples/dotnet/manifest.yaml).
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
snippets.json |
Registers the new .NET snippet steps for server_token_refresh. |
snippet-manifest.yaml |
Adds dotnet to the server_token_refresh scenario frameworks list. |
samples/dotnet/token-refresh/token-refresh.sln |
New solution for the sample and its tests. |
samples/dotnet/token-refresh/src/token-refresh.csproj |
New web project with OIDC + Duende.IdentityModel dependencies. |
samples/dotnet/token-refresh/src/Program.cs |
Implements cookie+OIDC login, manual refresh, and auto-refresh-on-validate logic. |
samples/dotnet/token-refresh/tests/token-refresh.tests.csproj |
New xUnit test project for the sample. |
samples/dotnet/token-refresh/tests/TestAuthHandler.cs |
Test auth handler that injects tokens into AuthenticationProperties. |
samples/dotnet/token-refresh/tests/FakeTokenEndpointHandler.cs |
Fake discovery/JWKS/token endpoints + test IHttpClientFactory. |
samples/dotnet/token-refresh/tests/AuthIntegrationTests.cs |
Integration tests covering root/login/refresh/logout flows. |
samples/dotnet/token-refresh/README.md |
Sample documentation and production notes. |
samples/dotnet/token-refresh/.env.example |
Example env configuration for running the sample. |
samples/dotnet/manifest.yaml |
Adds the server_token_refresh scenario metadata for .NET. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Catch exceptions from RefreshTokensAsync in /refresh handler so discovery/network failures render the error page instead of 500ing (addresses Copilot PR #30 review) - Set ClientCredentialStyle.PostBody on RefreshTokenRequest to match ASP.NET Core OIDC middleware default; fixes 401 Unauthorized from SecureAuth clients configured with client_secret_post Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The manifestLib fallback caused .NET snippets to emit a NuGet package name as "install", which the Quickstart UI renders as `npm install <pkg>`. Non-npm projects (.NET) declare packages in .csproj and install via the run_command's dotnet restore, so leave install empty. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The refresh step uses Duende.IdentityModel types, but the `using` lived outside any @snippet tag so the Quickstart UI never showed it. Include the imports (and rename step 1's description) so readers see the required package. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the second .NET sample —
server_token_refresh— demonstrating server-side refresh-token handling on top of ASP.NET Core cookie auth + OpenID Connect middleware.samples/dotnet/token-refresh/— Minimal API onhttps://localhost:4260usingDuende.IdentityModelfor the token-endpoint callserver_token_refreshsample: manualPOST /refreshform + automatic refresh via the cookie authOnValidatePrincipaleventApproach
Duende.IdentityModelhelpers —GetDiscoveryDocumentAsync+RequestRefreshTokenAsync— instead of hand-rolled HttpClient calls. Showcases how .NET developers typically integrate with OIDC providers beyond what the built-in middleware covers.IHttpClientFactoryseam — tests swap in a fakeHttpMessageHandlerto intercept discovery/JWKS/token traffic.SaveTokens = true;AuthenticationProperties.UpdateTokenValue(...)writes fresh tokens back on each refresh.CookieAuthenticationOptions.Events.OnValidatePrincipalfires on every authenticated request; the handler refreshes whenexpires_at - now < 60sand setsctx.ShouldRenew = trueso the cookie re-emits with updated tokens.RequireEnvhelper,Env.TraversePath().NoClobber().Load(),MapInboundClaims = false, no per-sample.gitignore.🤖 Generated with Claude Code