Reputation: 3289
Issue a refresh token in aspnet5 rc1 Web API2 identity 3 using JwtBearerAuthentication
I'm currently stuck on the mechanics of how to implement a refresh token flow in aspnet5.
Goal: I want to intercept every transaction to check if the token is expired or about to expire and if so, renew it. (I'm already validating the signature of it).
I found I can discover when the expiry is expiring in Startup.cs when setting the JWT options:
app.UseJwtBearerAuthentication(options =>
{
options.Audience = "http://localhost:7001";
//options.Authority = "http://localhost:7001";
options.AutomaticAuthenticate = true;
options.RequireHttpsMetadata = false;
options.TokenValidationParameters = new TokenValidationParameters()
{
LifetimeValidator = (DateTime? notBefore, DateTime? expires, SecurityToken securityToken, TokenValidationParameters validationParameters) =>
{
if (expires.Value < DateTime.UtcNow)
{
// it's expired! issue a refresh token here?
return false;
}
return true;
},
IssuerSigningKey = key,
ValidAudience = tokenOptions.Audience,
ValidIssuer = tokenOptions.Issuer,
ValidateSignature = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(10)
};
});
Currently this just throws an exception that "Lifetime validator failed"..and that's where I'm at.
Am I going about this the right way? Is this the right place to be checking expiration? How specifically do I ask the API to issue a refresh token from here?
Upvotes: 1
Views: 447
Answers (1)
Reputation: 42100
Am I going about this the right way? Is this the right place to be checking expiration?
No: though the resource servers (i.e the API endpoints) should always ensure received tokens are still valid, it's not their responsibility to renew expired tokens.
It's definitely something the client applications should ask themselves to the authorization server that issued the refresh token. For that, they can use the expires_in property returned in the token response as a hint and/or catch 401 responses from your API to determine whether the access token they are using is still valid.
How specifically do I ask the API to issue a refresh token from here?
Issuing a new access token from a refresh token is usually done by an authorization server/identity provider. It would definitely help if you added more details about this aspect of your application (does it support OAuth2 or OpenID Connect?)
When using an OAuth2 server, retrieving a new access token can be done using the refresh_token grant:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
Upvotes: 1
Related Questions
- How to decode jwt token in javascript without using a library?
- JWT (JSON Web Token) automatic prolongation of expiration
- Handling Refresh Token Renewal: Redirect or Throw Exception?
- JWT refresh token strategy
- SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed
- How renewal/Refresh JWT (Json Web Token) token get expired after that angular project not interactive for 15 minutes
- Validate Live.com (Microsoft account) JWT token
- Difference between JWT token expiration_delta and JWT Refresh Expiration Delta django jwt
- Websocket refresh token