OpenIdConnect RefreshToken handling in Asp.Net Core

Question

We are using OpenIdConnect in an mvc application and are wondering about how to handle refresh Tokens.

The application consists of an rather simple web frontend and a backend webservice, which is called by the web-site (the user-agent, will never talk directly to the backend here, since the backend is intranet-facing only).

The backend is configured to use JwtBearerTokens and that works fine.
The frontend is configured to use OpenIdConnect and receives IdToken, AccessToken and RefreshToken from an local STS.
The AccessTokens are automatically exchanged from access_code by the OpenIdConnectHandler from AspNet Core.

When the AccessToken is about to expire, we tried to use the RefreshToken to acquire a new AccessToken. Originally we were about to use ADAL, but the removed AcquireTokenByRefreshToken from the API. Since we do not Authenticate via ADAL, but with the AspNet built-in OIDC, we can not rely on ADALS (non-HA) TokenCache. So is there any (built-in) way to do this automatically?
If not - when we implement that on our own - where do we store the newly acquired AccessToken - I'd like to put it into HttpContext.Authentication, but that seems not to provide any setters?

Answer 1

If you are looking to integrate your application with AAD, then you don't need to manage the refresh token. ADAL manages it for you (as explained here) unless you have any edge cases.

If you are after a non-AAD scenario, Identity Server libraries will do the job for you.

Here is a sample implementation of Identity Server 3 using the above libraries.