CODEWITHSUNDEEP
c#tokenidentityserver4
user10863293
user10863293

Reputation: 876

How can I test if my token is refreshed with IdentityServer4?

I create a token with IdentityServer4 I copy this example I just modify this

in IdentityServer -> Config

public static IEnumerable<Client> GetClients()

{
    return new List<Client>
    {
        new Client
        {
            ClientId = "client",
            AllowedGrantTypes = GrantTypes.ClientCredentials,
            ClientSecrets =
            {
                new Secret("secret".Sha256())
            },
            AllowedScopes = { "tbtsmth" },
            AccessTokenLifetime = 10,
            IdentityTokenLifetime = 10 

        }
    };
}

My token should expired in 10 seconds and every 10 seconds I have a refresh token, but I don't know how to test it. I do something like that :

var tokenHandler = new JwtSecurityTokenHandler();
var jwtSecurityToken = tokenHandler.ReadJwtToken(tokenResponse.AccessToken);

Thread.Sleep(10000);

if (jwtSecurityToken.ValidTo < DateTime.UtcNow)
    Console.WriteLine("expired");
else
    Console.WriteLine("not expired");

it returns me expired I thought that it should return me not expired because it will be refreshed.

Upvotes: 1

Views: 1140

Answers (1)

user4864425
user4864425

Reputation:

There is no refresh token in the client credentials flow. From the documentation:

Refresh tokens are supported for the following flows: authorization code, hybrid and resource owner password credential flow.

There is no user involved, so there is no need for a refresh token. You'll simply request a new token.

So when can you use a refresh token? When in a user flow an access token is required, e.g. when you have a client that doesn't use cookies or needs to access an api.

The problem with a Jwt access token is that the token expires. Once expired, user interaction is required to request a new access token. Because that's not a good user experience, the client can use a refresh token to request a new access token.

The refresh token is not the same as a jwt access token. The refresh token doesn't have to be a Jwt token, it's kept server side and has a (far) longer lifetime (expiration) than an access token, and it can be revoked. Revoking a refresh token means that the refresh token can no longer be used.

Think of the refresh token as some sort of key that allows the client to request new access tokens.

Refreshing the token is never automatically, so you'll have to build logic into the client to refresh tokens. Here's an example on how to refresh the token for the allowed flows.

The flow could be something like this, from my answer here:

  1. the user logs in, receives a JWT access token (5 minutes) and the refresh token 1 code (48 hours). Refresh token 1 is saved on the server.
  2. five minutes later: the access token expires
  3. a new access token is requested using refresh token 1.
  4. user receives a new access token (5 minutes) AND the refresh token 2 code (48 hours). Token 1 is removed from memory and token 2 is added to memory.
  5. and this goes on for several hours.
  6. For two days the user doesn't use the app
  7. 50 hours later: because both tokens are expired, the user has to login again. Resetting the flow.

Upvotes: 1

Related Questions