How to use refresh token in asp.net webform

Question

My application got logged out when reaching the expiration time of oAuth token even when I am running the application. it causes loss all the data I entered in the forms of my application. How can i resolve this? Found that we can use refresh token on the webapi. But how can I implement it on my webforms? I have implemented the refresh token on webapi like below. but don't know how to use it in webforms. 

public void ConfigureAuth(IAppBuilder app)
{

var OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/erms_token"),

Provider = new SimpleAuthorizationServerProvider(),

AccessTokenExpireTimeSpan = TimeSpan.FromSeconds(30),

AllowInsecureHttp = true,
RefreshTokenProvider = new SimpleRefreshTokenProvider() 
};

app.UseOAuthBearerTokens(OAuthOptions);
app.UseOAuthAuthorizationServer(OAuthOptions);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

HttpConfiguration config = new HttpConfiguration();
WebApiConfig.Register(config);
}

Token Output

{
    "access_token": "bYpc7y6WiThlj0_IqmOVYlaKfLtmDAUQGPFIg9EfwUtBfQsIXO3zNzzWIGtM6nsMIFqHTuAKq1GEmzlATsCLdStgM1wtJ1xoX_OLkEmZEJ8b49rI2wZvDU7ddHKT7GSmBmEYR-CSpENW3MEIc8byKOo41nEIt3YBXHPS-9j1KsXIfLiLSPmgaCBCzFMhxzNh_sgzHTkh3wv24_HbsP46V_kkTfgD9XA4m6AVlDVQf88",
    "token_type": "bearer",
    "expires_in": 29,
    "refresh_token": "349c0748-abfa-47f1-9deb-b9e565b004d8"
}

On login button click of webform:

 private bool GetLoginToken(string username, string password)
{
    bool status = false;
    HttpClient client = new HttpClient();
    client.BaseAddress = new Uri(TokenUrl);
    HttpResponseMessage response =
      client.PostAsync("erms_token",
        new StringContent(string.Format("grant_type=password&username={0}&password={1}",
          HttpUtility.UrlEncode(username),
          HttpUtility.UrlEncode(password)), Encoding.UTF8,
          "application/x-www-form-urlencoded")).Result;
    if (response.IsSuccessStatusCode)
    {
        string resultJSON = response.Content.ReadAsStringAsync().Result;
        erms_Token result = JsonConvert.DeserializeObject<erms_Token>(resultJSON);
        obj_erms_GlobalVariables.login_token = result.access_token;
        Session["login_token"]= result.access_token;
        status = true;
    }
    else
    {
        Session["login_token"] = null;
          status = false;      
    }
    return status;
}

I am passing this token on all other webapi requests.

Answer 1

This is probably not an answer but some comments.

You have a couple of problems here:

1. How to avoid data loss when the session expires?
2. How to refresh the access token?

For problem 1, you may consider re-design how the client side (browser) interacts with your API. For example, use some javascript code to save the user input, even save the content on the server side.

For problem 2, check the OAuth server for the API and see what the response is like. Normally, you get the refresh token from result.refresh_token and then follow the doc here to send a refresh_token request. However, I noticed you are using password grant type, which is not recommended for security consideration.