1

I create a token with IdentityServer4 I copy this example I just modify this

in IdentityServer -> Config

public static IEnumerable<Client> GetClients()

{
    return new List<Client>
    {
        new Client
        {
            ClientId = "client",
            AllowedGrantTypes = GrantTypes.ClientCredentials,
            ClientSecrets =
            {
                new Secret("secret".Sha256())
            },
            AllowedScopes = { "tbtsmth" },
            AccessTokenLifetime = 10,
            IdentityTokenLifetime = 10 

        }
    };
}

My token should expired in 10 seconds and every 10 seconds I have a refresh token, but I don't know how to test it. I do something like that :

var tokenHandler = new JwtSecurityTokenHandler();
var jwtSecurityToken = tokenHandler.ReadJwtToken(tokenResponse.AccessToken);

Thread.Sleep(10000);

if (jwtSecurityToken.ValidTo < DateTime.UtcNow)
    Console.WriteLine("expired");
else
    Console.WriteLine("not expired");

it returns me expired I thought that it should return me not expired because it will be refreshed.

user10863293
  • 770
  • 4
  • 11
  • 32
  • 1
    You may want to change (at least) the title. It now seems that you are asking the [same question](https://stackoverflow.com/questions/58997487/how-can-i-test-if-my-token-is-expired-with-identityserver4) twice. –  Dec 02 '19 at 14:31

1 Answers1

1

There is no refresh token in the client credentials flow. From the documentation:

Refresh tokens are supported for the following flows: authorization code, hybrid and resource owner password credential flow.

There is no user involved, so there is no need for a refresh token. You'll simply request a new token.

So when can you use a refresh token? When in a user flow an access token is required, e.g. when you have a client that doesn't use cookies or needs to access an api.

The problem with a Jwt access token is that the token expires. Once expired, user interaction is required to request a new access token. Because that's not a good user experience, the client can use a refresh token to request a new access token.

The refresh token is not the same as a jwt access token. The refresh token doesn't have to be a Jwt token, it's kept server side and has a (far) longer lifetime (expiration) than an access token, and it can be revoked. Revoking a refresh token means that the refresh token can no longer be used.

Think of the refresh token as some sort of key that allows the client to request new access tokens.

Refreshing the token is never automatically, so you'll have to build logic into the client to refresh tokens. Here's an example on how to refresh the token for the allowed flows.

The flow could be something like this, from my answer here:

  1. the user logs in, receives a JWT access token (5 minutes) and the refresh token 1 code (48 hours). Refresh token 1 is saved on the server.
  2. five minutes later: the access token expires
  3. a new access token is requested using refresh token 1.
  4. user receives a new access token (5 minutes) AND the refresh token 2 code (48 hours). Token 1 is removed from memory and token 2 is added to memory.
  5. and this goes on for several hours.
  6. For two days the user doesn't use the app
  7. 50 hours later: because both tokens are expired, the user has to login again. Resetting the flow.
  • I can explain you my project, I create a project with a license system each module need a token to work. This token has to work during 5 minutes and need to be refresh. – user10863293 Dec 02 '19 at 16:07
  • We will need something to check every 5 mins if the token can work, do you think I have to use reference tokens ? – user10863293 Dec 03 '19 at 08:58
  • Giving it some extra thought, your approach will not work with licenses as the user remains authenticated. IdentityServer is about authenticating the user and the license is about authorizing the user. [Resource-based authorization](https://learn.microsoft.com/aspnet/core/security/authorization/resourcebased) may be a better solution for you. –  Dec 03 '19 at 10:30
  • So you think I have to use this instead of identityServer4 ? – user10863293 Dec 03 '19 at 16:14
  • IdentityServer is about authenticating _users_ and authorizing _clients_. User authorization is not part of IdentityServer, as [commented here](https://leastprivilege.com/2016/12/16/identity-vs-permissions/#comment-131079). I recommend you to read the article itself for more information. Authorization has multiple levels, so it's not just this _or_ that, but problably this _and_ that. So keep using IdentityServer for authentication and decide what suits best for [authorization](https://learn.microsoft.com/aspnet/core/security/authorization/introduction). –  Dec 03 '19 at 17:05