13

I have an Asp.net 2.0 core web application which connects to an Identity server 4 application for authentication. There is also an API involved. The API consumes an access token as a bearer token.

My startup:

services.AddAuthentication(options =>
            {
                options.DefaultScheme = "Cookies";
                options.DefaultChallengeScheme = "oidc";
            })
            .AddCookie("Cookies")
            .AddOpenIdConnect("oidc", options =>
            {
                options.SignInScheme = "Cookies";
                options.Authority = idsEndPoint;
                options.RequireHttpsMetadata = false;
                options.ClientId = "testclient";
                options.ClientSecret = "secret";
                options.ResponseType = "code id_token";
                options.SaveTokens = true;
                options.GetClaimsFromUserInfoEndpoint = true;
                options.Scope.Add("testapi");
            });

Controller:

In my controllers i can see my tokens and they are all populated and i can use the access token in my API calls.

var accessToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
var refreshToken = await HttpContext.GetTokenAsync(IdentityConstants.HttpContextHeaders.RefreshToken);
var idToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.IdToken);

Question:

My problem occurs after one hour where the access token expires. It appears that it is not automatically being refreshed. I am wondering if this is a setting in my authentication that will cause it to refresh it. However I have been unable to find out how I am supposed to force it to refresh the access token after it has expired.

My current solution is to refresh it myself but I would have thought this would be built into the cookie middleware.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • 1
    How to handle expired access token in asp.net core using refresh token with OpenId Connect: https://stackoverflow.com/questions/40032851/how-to-handle-expired-access-token-in-asp-net-core-using-refresh-token-with-open – Houssem Romdhani Apr 16 '18 at 08:24
  • @HoussemRomdhani nice try but thats what my old application used this is .net core 2.0 so that doesnt work anymore that's 1.1x – Linda Lawton - DaImTo Apr 16 '18 at 08:30
  • 2
    Try this configuration: https://github.com/mderriey/TokenRenewal/blob/master/src/MvcClient/Startup.cs – Houssem Romdhani Apr 16 '18 at 08:40
  • 1
    wow that looks like something useful thanks. I will get back to you. You may want to add it as an answer at any rate. – Linda Lawton - DaImTo Apr 16 '18 at 08:48
  • It kind of doesn't make sense to do this, I'm not sure why GetTokenAsync("access_token") would even bother returning an expired token, without any indication that it's expired. This adds burden to do complicated checks on every request. – sksallaj Nov 29 '18 at 21:45
  • 1
    Has there been no improvements in .net core to manage this automatically ? – CurlyFire Dec 17 '18 at 20:59

2 Answers2

2

for automatic refresh token, add options.Scope.Add("offline_access"); to AddOpenIdConnect() options.

Meysam Gheysaryan
  • 55
  • 4
0

This approach uses OpenIddict, you need to implement the main configuration inside startup.cs. The next Link is an excellent example of this implementation. Hope be useful
https://github.com/openiddict/openiddict-samples/tree/dev/samples/RefreshFlow

     if (request.IsPasswordGrantType())
        {

            if (!Email_Regex_Validation.Check_Valid_Email_Regex(request.Username))
            {
                return BadRequest(Resources.RegexEmail);
            }

            SpLoginUser stored = new SpLoginUser(_context);

            string result = stored.Usp_Login_User(request.Username, request.Password);

            if (!result.Contains("successfully"))
            {
                return Forbid(OpenIddictServerDefaults.AuthenticationScheme);
            }

            // Create a new ClaimsIdentity holding the user identity.
            var identity = new ClaimsIdentity(
                OpenIddictServerDefaults.AuthenticationScheme,
                OpenIdConnectConstants.Claims.Name,
                OpenIdConnectConstants.Claims.Role);


            identity.AddClaim(Resources.issuer, Resources.secret,
                OpenIdConnectConstants.Destinations.IdentityToken);
            identity.AddClaim(OpenIdConnectConstants.Claims.Name, request.Username,
                OpenIdConnectConstants.Destinations.IdentityToken);


            var ticket = new AuthenticationTicket(new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme);
            ticket.SetScopes(OpenIdConnectConstants.Scopes.OfflineAccess);

            // Ask OpenIddict to generate a new token and return an OAuth2 token response.
            return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);

        }
Charnichart
  • 41
  • 3