You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/guides/authentication-guide.md
+44-9Lines changed: 44 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,13 +31,14 @@ graph TB
31
31
32
32
#### Frontend (Blazor Server)
33
33
-**`AuthenticationService`**: High-level service for Login, Register, and Logout operations.
34
-
-**`TokenService`**: Stores Access and Refresh tokens in **Scoped Memory** (per user session).
34
+
-**`TokenService`**: Stores Access and Refresh tokens in **Scoped Memory** (per user session), keyed by tenant ID.
35
+
- Tokens are stored as `Dictionary<string, (AccessToken, RefreshToken)>` — one entry per tenant — supporting multi-tenant sessions within the same Blazor circuit.
35
36
-*Security Note*: Tokens are **NOT** stored in LocalStorage or Cookies to prevent XSS attacks.
36
37
- Tokens persist only for the lifetime of the user's session (browser tab).
- Reads tokens from `TokenService` for the **current tenant** (subscribes to `TenantService.OnChange` to re-evaluate state on tenant switch).
39
40
- Parses JWT claims to set the user's `AuthenticationState`.
40
-
- Automatically handles **Silent Refresh**when the access token is close to expiry.
41
+
- Automatically handles **Silent Refresh**5 minutes before token expiry (background) or immediately on request if the token has already expired.
41
42
42
43
#### Backend (API)
43
44
-**`JwtTokenService`**: Central service for generating access tokens, rotating refresh tokens, and building standardized user claims. Signing algorithm resolution is shared with API validation: explicit `Jwt:Algorithm` wins, otherwise `RS256` is auto-selected when both RS256 keys are configured, else it falls back to `HS256`.
@@ -285,9 +286,16 @@ This keeps validation strict while avoiding false 401 responses from minor clien
285
286
286
287
### Cross-Tenant Protection
287
288
288
-
`TenantSecurityMiddleware` blocksrequestswheretheJWT's `tenant_id` differs from the `X-Tenant-ID` header:
@@ -363,16 +371,27 @@ We store tokens in a Scoped service (`TokenService`). This means:
363
371
This is the intentional, final design for Blazor Server. Because all code (including `TokenService`) executes server-side, tokens are never serialised to the browser — not even as HttpOnly cookies. Refreshing the page requires re-login, which is an acceptable trade-off for high-security applications.
364
372
365
373
### Authorization Headers
366
-
All outgoing HTTP requests to the API are intercepted by `AuthorizationMessageHandler`, which attaches the Bearer token:
374
+
All outgoing HTTP requests to the API are intercepted by `AuthorizationMessageHandler`, which attaches the Bearer token for the **current tenant** and forwards additional request metadata:
0 commit comments