Blazorade ID defines two different types of token stores that are implemented as services:

• ITokenStore: Used to store access tokens and identity tokens.
• IRefreshTokenStore: Used only for refresh tokens.

The reason there are two separate token stores is to enable different handling of these tokens. Access tokens and identity tokens are typically short lived and are unusable after they have expired.

Refresh tokens on the other hand are very long lived. In Microsoft Entra ID the lifetime of refresh tokens vary from 24 hours to 90 days depending on the application type. For SPA applications that Blazor applications typically are, the lifetime is 24 hours.

By default, Blazorade ID configures an in-memory token store for access tokens and identity tokens. For refresh tokens, the default refresh token store is an implementation that does not store any refresh tokens.

Note! Any data that is available to the browser is potentially also available to Cross-Site Scripting (XSS) attacks and similar. So if you decide to store tokens using any of the token stores shipped with Blazorade ID, understand the risks involved. One rule of thumb - The longer you store the tokens, the longer they are exposed. Refresh tokens should also be treated separately, since they are usable for a substantially longer time than access tokens and identity tokens. This is why by default, Blazorade ID does not store refresh tokens at all.

Blazorade ID ships with various implementations of both of these stores that you can easily configure for your application.

The following implementations ship with Blazorade ID and are used to store access tokens and identity tokens.

• InMemoryTokenStore: This is the default token store. It stores tokens in the application memory.
• BrowserSessionStorageTokenStore: A token store that stores tokens in the browsers session storage.
• BrowserLocalStorageTokenStore: A token store that stores tokens in the browser's local storage.

The following refresh token stores are included in Blazorade ID.

• NullRefreshTokenStore: This is the default refresh token store. This store does not store refresh tokens anywhere.
• InMemoryRefreshTokenStore: Stores refresh tokens in the application's memory.
• BrowserSessionStorageRefreshTokenStore: Stores refresh tokens in the browser's session storage.
• BrowserLocalStorageRefreshTokenStore: Stores refresh tokens in the browser's local storage.

Now that you have the basic information about token stores in Blazorade ID, it is time to look at how you configure different token stores in your application.

You configure token stores as services for your application. Start with the services collection you configured in the Getting Started section. Below we add token store that uses the browser's session store as the token store. Also, we add the in-memory refresh token store to the services collection too.

builder.Services
    .AddBlazoradeIdWasmApplication()
    .AddAuthority((sp, options) => 
    {
        // Add your IdP configuration here.
    })
    .AddTokenStore<BrowserSessionStorageTokenStore>()
    .AddRefreshTokenStore<InMemoryRefreshTokenStore>()
    ;