Is there any support of refresh token in ASP.NET core?

Question

I am in need of refresh token in an ASP.NET Core application. Currently, I have implemented refresh/access token. In my implementation, refresh token and its expiration date is stored along with User entity in the database. And, a refresh token could be used to generate new access tokens without using user/password. This works fine but, I wonder if ASP.NET Core itself or third party packages like Open Id Connect has an implementation of refresh token or not. The apllication is based on JWT and ASP.NET Identity.

While searching the web, I have found that a method named HttpContext.GetTokenAsync() exists in the Microsoft.AspNetCore.Authentication. Additionaly this question and this question on SO are discussing similiar ideas; but I am still not sure what component or implemenation they are using. And, where is refresh token is stored. In the database? another place?

Answer 1

GetTokenAsync is an extension that is located in the Microsoft.AspNetCore.Authentication.Abstractions package.

Here's some code that you can use for token renewal in the client.

If you are looking for an OpenId Connect implementation then take a look at IdentityServer4. For other solutions: Community OSS authentication options for ASP.NET Core

There are different strategies for Refresh Tokens. You can use a self-contained token that doesn't need to be stored on the server. The client can use this token until it expires. This token can't be revoked.

The alternative is to use a 'one-time-use' code that is stored in the database. Once used, the code is replaced with a new code. This allows the server to revoke the refresh token (by simply removing it from the store).

I'm not sure if this covers all your questions, so let me know if something is missing or is not clear.