In-memory/production distributed caches (#544)

Author: guardrex

9.0/BlazorWebAppEntra/BlazorWebAppEntra/BlazorWebAppEntra.csproj

@@ -8,9 +8,12 @@
 
   <ItemGroup>
     <ProjectReference Include="..\BlazorWebAppEntra.Client\BlazorWebAppEntra.Client.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="9.0.4" />
-    <PackageReference Include="Microsoft.Identity.Web" Version="3.8.3" />
-    <PackageReference Include="Microsoft.Identity.Web.DownstreamApi" Version="3.8.3" />
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.5.0" />
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.6.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="9.0.5" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="9.0.5" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="3.9.1" />
+    <PackageReference Include="Microsoft.Identity.Web.DownstreamApi" Version="3.9.1" />
   </ItemGroup>
 
 </Project>

9.0/BlazorWebAppEntra/BlazorWebAppEntra/Program.cs

@@ -1,9 +1,12 @@
-using BlazorWebAppEntra.Client.Weather;
-using BlazorWebAppEntra.Components;
-using BlazorWebAppEntra.Weather;
+using Azure.Identity;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.TokenCacheProviders.Distributed;
+using BlazorWebAppEntra.Client.Weather;
+using BlazorWebAppEntra.Components;
+using BlazorWebAppEntra.Weather;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -31,7 +34,29 @@
         configOptions.BaseUrl = "{BASE URL}";
         configOptions.Scopes = [ "{APP ID URI}/Weather.Get" ];
     })
-    .AddInMemoryTokenCaches();
+    .AddDistributedTokenCaches();
+
+builder.Services.AddDistributedMemoryCache();
+
+builder.Services.Configure<MsalDistributedTokenCacheAdapterOptions>(
+    options =>
+    {
+        // Disable L1 Cache default: false
+        //options.DisableL1Cache = false;
+        
+        // L1 Cache Size Limit default: 500 MB
+        //options.L1CacheOptions.SizeLimit = 500 * 1024 * 1024;
+        
+        // Encrypt tokens at rest default: false
+        options.Encrypt = true;
+        
+        // Sliding Expiration default: 1 hour
+        //options.SlidingExpiration = TimeSpan.FromHours(1);
+    });
+
+builder.Services.AddDataProtection()
+    .PersistKeysToAzureBlobStorage(new Uri("{BLOB URI WITH SAS TOKEN}"))
+    .ProtectKeysWithAzureKeyVault(new Uri("{KEY IDENTIFIER}"), new DefaultAzureCredential());
 
 builder.Services.AddAuthorization();
 

9.0/BlazorWebAppEntra/README.md

@@ -1,3 +1,7 @@
 # `BlazorWebAppEntra`
 
 Sample app to accompany [Secure an ASP.NET Core Blazor Web App with Microsoft Entra ID](https://learn.microsoft.com/aspnet/core/blazor/security/blazor-web-app-with-entra?pivots=non-bff-pattern).
+
+## Use a production distributed token cache provider
+
+The sample app uses in-memory distributed token caches, but a production distributed token cache provider is recommended for production apps. For more information, see [Use a production distributed token cache provider](https://learn.microsoft.com/aspnet/core/blazor/security/blazor-web-app-with-entra?pivots=non-bff-pattern#use-a-production-distributed-token-cache-provider).

9.0/BlazorWebAppEntraBff/BlazorWebAppEntra.Client/BlazorWebAppEntra.Client.csproj

@@ -9,9 +9,9 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="9.0.4" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="9.0.4" />
-    <PackageReference Include="Microsoft.Extensions.Http" Version="9.0.4" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="9.0.5" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="9.0.5" />
+    <PackageReference Include="Microsoft.Extensions.Http" Version="9.0.5" />
   </ItemGroup>
 
 </Project>

9.0/BlazorWebAppEntraBff/BlazorWebAppEntra/BlazorWebAppEntra.csproj

@@ -9,10 +9,13 @@
   <ItemGroup>
     <ProjectReference Include="..\Aspire\Aspire.ServiceDefaults\Aspire.ServiceDefaults.csproj" />
     <ProjectReference Include="..\BlazorWebAppEntra.Client\BlazorWebAppEntra.Client.csproj" />
-    <PackageReference Include="Microsoft.Identity.Web" Version="3.8.3" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="9.0.4" />
-    <PackageReference Include="Microsoft.Extensions.ServiceDiscovery.Yarp" Version="9.2.0" />
-    <PackageReference Include="Microsoft.Identity.Web.DownstreamApi" Version="3.8.3" />
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.5.0" />
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.6.0" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="9.0.5" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="3.9.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="9.0.5" />
+    <PackageReference Include="Microsoft.Extensions.ServiceDiscovery.Yarp" Version="9.3.0" />
+    <PackageReference Include="Microsoft.Identity.Web.DownstreamApi" Version="3.9.1" />
   </ItemGroup>
 
 </Project>

9.0/BlazorWebAppEntraBff/BlazorWebAppEntra/Program.cs

@@ -1,10 +1,13 @@
+using Azure.Identity;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.TokenCacheProviders.Distributed;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using Yarp.ReverseProxy.Transforms;
 using BlazorWebAppEntra;
 using BlazorWebAppEntra.Client.Weather;
 using BlazorWebAppEntra.Components;
-using Microsoft.AspNetCore.Authentication.OpenIdConnect;
-using Microsoft.Identity.Web;
-using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -28,7 +31,29 @@
         configOptions.BaseUrl = "{BASE URL}";
         configOptions.Scopes = [ "{APP ID URI}/Weather.Get" ];
     })
-    .AddInMemoryTokenCaches();
+    .AddDistributedTokenCaches();
+
+builder.Services.AddDistributedMemoryCache();
+
+builder.Services.Configure<MsalDistributedTokenCacheAdapterOptions>(
+    options => 
+    {
+      // Disable L1 Cache default: false
+      //options.DisableL1Cache = false;
+        
+      // L1 Cache Size Limit default: 500 MB
+      //options.L1CacheOptions.SizeLimit = 500 * 1024 * 1024;
+        
+      // Encrypt tokens at rest default: false
+      options.Encrypt = true;
+        
+      // Sliding Expiration default: 1 hour
+      //options.SlidingExpiration = TimeSpan.FromHours(1);
+    });
+
+builder.Services.AddDataProtection()
+    .PersistKeysToAzureBlobStorage(new Uri("{BLOB URI WITH SAS TOKEN}"))
+    .ProtectKeysWithAzureKeyVault(new Uri("{KEY IDENTIFIER}"), new DefaultAzureCredential());
 
 builder.Services.AddOptions<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme).Configure(oidcOptions =>
 {

9.0/BlazorWebAppEntraBff/README.md

@@ -17,6 +17,10 @@ If you need to open an issue that pertains to the coding of the sample app, open
 
 Configure the solution following the guidance in [Secure an ASP.NET Core Blazor Web App with Microsoft Entra ID (BFF pattern)](https://learn.microsoft.com/aspnet/core/blazor/security/blazor-web-app-with-entra?pivots=bff-pattern).
 
+## Use a production distributed token cache provider
+
+The sample app uses in-memory distributed token caches, but a production distributed token cache provider is recommended for production apps. For more information, see [Use a production distributed token cache provider](https://learn.microsoft.com/aspnet/core/blazor/security/blazor-web-app-with-entra?pivots=non-bff-pattern#use-a-production-distributed-token-cache-provider).
+
 ## Run the sample
 
 ### Visual Studio