0

To give some background, bear with me,

  • We have an existing external OAuth service that is used for shared authentication across all of our apps. It has a login form that is used for user auth and provides JWTs for its APIs, which are called in the app I'm currently working on.
  • The app I'm working is using .NET Core 2.0 with a React front end. The server side is basically responsible managing the token for the external APIs, and providing 'proxy' APIs for the React client to call, which then in turn call the external APIs. Essentially the architecture is like any other standard Web API/MVC app, but instead of grabbing data from a database directly, it's just calling some other external APIs.

In the context for the .NET Core app, it is using JWT authentication for it's APIs. Once the user has authenticated with that external service, they will have a JWT for the external APIs (stored in session) and another JWT for the internal 'proxy' APIs (passed to the client in a cookie). So the client makes a call ("api/users"), that gets routed to my controller, authorized using JWT, that controller makes a call to some UserService, which uses the JWT stored in the session to make a call to the external API.

React client makes API call with token --> .NET Core API grabs JWT stored in session --> uses JWT to make call to external API

This all works fine, but now I'm running into some issues with refreshing the client JWT. I'm currently passing just the an access token to the client in a cookie, but I need to also pass a refresh token to the client so that it can grab a new access token when the expiration time has passed, which I'm not currently doing. I also need to somehow pass the expiration time of the token as well. Does it make sense to serialize all of this into a JSON object and pass that in a cookie? What would be a good way to get all of this to the client? I'm essentially trying to get to a point where the client will check, "Has my token expired yet?", if yes, use the refresh token to get a new one, if not, continue with the API call.

Sorry if all of this information is an overkill to a simple question, just trying to give some context.

Blake
  • 259
  • 5
  • 16

1 Answers1

0

If you are using Identity Server, you can check the refresh tokens here

Hussein Salman
  • 7,806
  • 15
  • 60
  • 98
  • I'm not using Identity at the moment. For some more context, this is a rough guide of what I'm using for JWT auth: https://stackoverflow.com/questions/45715394/asp-net-core-2-0-bearer-auth-without-identity – Blake Oct 20 '17 at 17:46