Add documentation for JWT authentication in Blazor

[MarvinKlein1508]

Tell us what search terms you used and how you searched docs.

I've searched for JWT and authentification.

Tell us what docs you found that didn't address your concern.

Basically the entire tree here:
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-9.0&tabs=visual-studio

Describe the new topic

Explain why this topic is needed.

Many people create ASP.NET Core Web Apis as backend for their applications. Those often rely on JWT authentification for their endpoints. Mixing blazor into all of this makes this a really complicated process. Literally any tutorial you find about this topic is differs from each other and there are no real best practices.

Should you even use JWT authentification in Blazor at all? If so how should you handle the different rendermodes?

In my example there endpoints for authentication right within the Web Api which return an access and refresh token which should be used to authenticate the user in the blazor app. The token shoudl also be applied to all requests from HttpClient.

Suggest a location in the Table of Contents.

This should be located right into the Blazor section.
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-9.0&tabs=visual-studio

Write an abstract. In one short paragraph, describe what this topic will cover.

The docs should cover how to save the access and refresh token in the different blazor scenarios. As well as automatically fetching a new access token when it has been expired. Last but not least it should show how the access token should be attached to the HttpClient requests.

[guardrex]

Hello @MarvinKlein1508 ... For BWAs, this is somewhat of duplicate of an existing issue for the passing tokens section of the server-side security article and a tracking item that I maintain in another docs issue. Currently, we demonstrate several approaches for calling web APIs in the articles that describe specific project scenarios for BWAs. See how the web APIs are set up for the BFF patterns in the following articles ...

• https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-entra?view=aspnetcore-9.0&pivots=non-bff-pattern
• https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-oidc?view=aspnetcore-9.0&pivots=bff-pattern
• ... and the sample apps that they cross link in the Blazor samples repo (look for "Bff" in the project names)

BUT ... Yes! 👍 ... The documentation needs more general guidance than show-'n-tell experiences with flavors of Blazor sample apps. We need some formal reference guidance. Those sample apps and articles just went up in about the last year, so we're just getting the security scenarios for BWAs covered well now.

I'll leave this issue open for reference when I reach the other issue and make a note on that issue to see these remarks. I'll probably try to work them together.

Also note in passing that searching with "JWT" isn't a good choice. We mostly refer to "access tokens," and a lot more guidance should pop up in search results with that search term.

Also note that you have to be specific about what type of Blazor app you're referring to. We have a lot of coverage on web API access and attaching tokens to HttpClient requests for Blazor WebAssembly apps. Again tho, you probably won't find too much specifically filtering on "JWT" because we don't mention "JWT" in a lot of guidance that deals with access tokens. A rare exception is in the WASM overview (security node), where JWT is called out by name. Beyond that and beyond what's mentioned in each use case scenario article (auth lib, MS accounts, Entra, and B2C, Entra groups/roles, and Graph SDK/API), the general approaches are in the additional scenarios article. We very likely will re-organize that quite a bit to improve it. I hope to get to this within a few months, but it's a lower priority than .NET 10 work, which has to be rolled out on-time for each preview release.