3

I am in need of refresh token in an ASP.NET Core application. Currently, I have implemented refresh/access token. In my implementation, refresh token and its expiration date is stored along with User entity in the database. And, a refresh token could be used to generate new access tokens without using user/password. This works fine but, I wonder if ASP.NET Core itself or third party packages like Open Id Connect has an implementation of refresh token or not. The apllication is based on JWT and ASP.NET Identity.

While searching the web, I have found that a method named HttpContext.GetTokenAsync() exists in the Microsoft.AspNetCore.Authentication. Additionaly this question and this question on SO are discussing similiar ideas; but I am still not sure what component or implemenation they are using. And, where is refresh token is stored. In the database? another place?

Afshar Mohebi
  • 10,479
  • 17
  • 82
  • 126

1 Answers1

3

GetTokenAsync is an extension that is located in the Microsoft.AspNetCore.Authentication.Abstractions package.

Here's some code that you can use for token renewal in the client.

If you are looking for an OpenId Connect implementation then take a look at IdentityServer4. For other solutions: Community OSS authentication options for ASP.NET Core

There are different strategies for Refresh Tokens. You can use a self-contained token that doesn't need to be stored on the server. The client can use this token until it expires. This token can't be revoked.

The alternative is to use a 'one-time-use' code that is stored in the database. Once used, the code is replaced with a new code. This allows the server to revoke the refresh token (by simply removing it from the store).

I'm not sure if this covers all your questions, so let me know if something is missing or is not clear.

  • Thanks for your answer. In my situation, I intend to have two seperate tokens: one for access token and another for refresh token. The reason of using refresh token is that I want the revoke ability. Just thought that whether a ready-to-use implementation exists or not. – Afshar Mohebi May 06 '19 at 14:14
  • 1
    IdentityServer4 is an implementation of oauth2/oidc. Take a look at the [specifications](http://docs.identityserver.io/en/latest/intro/specs.html). It has server side [refresh token](http://docs.identityserver.io/en/latest/topics/refresh_tokens.html) handling. –  May 06 '19 at 15:09
  • IdentityServer4 implements a similar mechanism for access tokens, the [Reference Token](http://docs.identityserver.io/en/latest/topics/reference_tokens.html): _IdentityServer will store the contents of the token in a data store and will only issue a unique identifier for this token back to the client. The API receiving this reference must then open a back-channel communication to IdentityServer to validate the token._ –  May 06 '19 at 15:22
  • 1
    Thanks for comment, but IdentityServer is seprate server while I want to handle all sections in my own application. I want just one application not two. – Afshar Mohebi May 07 '19 at 06:35