Is it possible to renew the access token in OWIN

Question

I am searching for a way to new the access token claims in an .NET API application using OWIN. I was reading on this and I read that it could be possible using refresh tokens.

The context of this question is the following. I want to store some information in the claims of the acces_token that could be updated by an action from the user. So for example: the username is stored in a claim. The user decides to update his/her username. Is it possible to update the claim?

But I can't find a good example anywhere how to do this. And is this even possible without breaching the security of the application?

Answer 1

I don't believe this is possible. An Oauth token can't be modified once it is created as modifying would result in the signature becoming invalid (which is a good thing).

The consuming application would be required to renew the token (re-authenticating, use a refresh token etc) which would be possible to achieve if the consuming application and API are under your control, otherwise this may not be a practical limitation to impose on your API consumers.

An alternative is to avoid storing the changeable claims in the access token, but rather populate the ClaimsIdentity object (in the IPrincipal) that gets hydrated from the access token with additional claims when a request is received. This would allow you to update the values within the API, but also not require your consumers to obtain a new access token every time a claim needs to change. The downside is you need to load the claims on every request. You also need to have a value in the access token that is guaranteed to identify the user that can not ever change.

You could do this using an OwinMiddleware class:

public override async Task Invoke(IOwinContext context)
{
    ClaimsIdentity identity = context.Authentication.User?.Identity as ClaimsIdentity;
    identity.AddClaims(new Claim("Name", "Value));
}