1

I'm currently stuck on the mechanics of how to implement a refresh token flow in aspnet5.

Goal: I want to intercept every transaction to check if the token is expired or about to expire and if so, renew it. (I'm already validating the signature of it).

I found I can discover when the expiry is expiring in Startup.cs when setting the JWT options:

app.UseJwtBearerAuthentication(options =>
        {
            options.Audience = "http://localhost:7001"; 
            //options.Authority = "http://localhost:7001";
            options.AutomaticAuthenticate = true;
            options.RequireHttpsMetadata = false;

            options.TokenValidationParameters = new TokenValidationParameters()
            {
                LifetimeValidator = (DateTime? notBefore, DateTime? expires, SecurityToken securityToken, TokenValidationParameters validationParameters) =>
                {                      
                    if (expires.Value < DateTime.UtcNow)
                    {
                        // it's expired! issue a refresh token here? 
                        return false;
                    }
                    return true;
                },
                IssuerSigningKey = key,
                ValidAudience = tokenOptions.Audience,
                ValidIssuer = tokenOptions.Issuer,
                ValidateSignature = true,
                ValidateLifetime = true,
                ClockSkew = TimeSpan.FromMinutes(10)
            };
        });

Currently this just throws an exception that "Lifetime validator failed"..and that's where I'm at.

Am I going about this the right way? Is this the right place to be checking expiration? How specifically do I ask the API to issue a refresh token from here?

proggrock
  • 3,239
  • 6
  • 36
  • 51

1 Answers1

1

Am I going about this the right way? Is this the right place to be checking expiration?

No: though the resource servers (i.e the API endpoints) should always ensure received tokens are still valid, it's not their responsibility to renew expired tokens.

It's definitely something the client applications should ask themselves to the authorization server that issued the refresh token. For that, they can use the expires_in property returned in the token response as a hint and/or catch 401 responses from your API to determine whether the access token they are using is still valid.

How specifically do I ask the API to issue a refresh token from here?

Issuing a new access token from a refresh token is usually done by an authorization server/identity provider. It would definitely help if you added more details about this aspect of your application (does it support OAuth2 or OpenID Connect?)

When using an OAuth2 server, retrieving a new access token can be done using the refresh_token grant:

 POST /token HTTP/1.1
 Host: server.example.com
 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
 Content-Type: application/x-www-form-urlencoded

 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
  • Thanks @Pinpoint. I was hoping you'd answer ;). I'll edit my code to demo and I understand how to do the first part now: returning a 401 to the client to inform of invalid token. As far as issuing the refresh token, my app is just one Web Api project that functions as the auth server ( signs/issues and receives tokens). I don't have OAuth or OpenId set up yet. So if I return a refresh token to the client all I need to do is replace the expired token in localStorage with the refresh token, and send that new one on all subsequent calls, correct? – proggrock Jan 22 '16 at 15:41
  • FYI, a 401 response should be automatically returned by the JWT bearer middleware but there's a bug in the RC1 version that causes a 500 response in this case: http://stackoverflow.com/a/34190002/542757. To answer your additional question: yes, client applications MUST discard old tokens when they receive a new token (https://tools.ietf.org/html/rfc6749#section-6). – Kévin Chalet Jan 22 '16 at 15:48