How to refresh the identity server token?

Question

I'm generating token in the login time

var identityService = await DiscoveryClient.GetAsync("http://localhost:5000");
 // request token 
var tokenClient = new TokenClient(identityService.TokenEndpoint, "ro.client", "secret"); 
tokenResponse = await tokenClient.RequestResourceOwnerPasswordAsync(user.UserName, model.Password, "api1");

and store the local storage.

client-side access the API method add the headers

headers.append('Authorization', 'Bearer ' + token); 
headers.append('Content-Type', 'application/json'); 
headers.append('Accept', 'application/json'); 
const options = { method: 'POST', headers, body: JSON.stringify(data) };

Its working good on the web. After expiring controller return unauthorize.

But I'not needed to expire in the token (refresh the token) in a mobile app. So how to refresh that token in mobile? any headers add for refresh the token?

Answer 1

To refresh token on javascript client it is recommended to use what is know implicit flow, and implement silent token refresh mechanics.

Basically, you need to reauthorize and get new token when current one is about/is expired. Reason is that it is unsafe to store refresh token on javascript client.

https://labs.hybris.com/2012/06/05/oauth2-the-implicit-flow-aka-as-the-client-side-flow/

This is pretty complicated thing to do writing from scratch, thats why there are couple of libraries that handle this case specifically.(assuming you are using Oauth2) Check out these:

• https://github.com/MrSwitch/hello.js
• https://github.com/AzureAD/azure-activedirectory-library-for-dotnet
• https://github.com/AzureAD/microsoft-authentication-library-for-js

While most of them are azure related, you can set up, at least you could, adal to work with open id identity server.