I am using the Web Api 2 template that comes with Visual Studio 2013 has some OWIN middleware to do User Authentication and the likes of.
In the OAuthAuthorizationServerOptions
I noticed that the OAuth2 Server is setup to hand out tokens that expire in 14 days
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/api/token"),
Provider = new ApplicationOAuthProvider(PublicClientId,UserManagerFactory) ,
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true
};
This is not suitable for my latest project. I would like to hand out short lived bearer_tokens that can be refreshed using a refresh_token
I have done lots of googling and can't find anything helpful.
So this is how far I have managed to get. I have now reached the point of "WTF do I now".
I have written a RefreshTokenProvider
that implements IAuthenticationTokenProvider
as per the RefreshTokenProvider
property on OAuthAuthorizationServerOptions
class:
public class SimpleRefreshTokenProvider : IAuthenticationTokenProvider
{
private static ConcurrentDictionary<string, AuthenticationTicket> _refreshTokens = new ConcurrentDictionary<string, AuthenticationTicket>();
public async Task CreateAsync(AuthenticationTokenCreateContext context)
{
var guid = Guid.NewGuid().ToString();
_refreshTokens.TryAdd(guid, context.Ticket);
// hash??
context.SetToken(guid);
}
public async Task ReceiveAsync(AuthenticationTokenReceiveContext context)
{
AuthenticationTicket ticket;
if (_refreshTokens.TryRemove(context.Token, out ticket))
{
context.SetTicket(ticket);
}
}
public void Create(AuthenticationTokenCreateContext context)
{
throw new NotImplementedException();
}
public void Receive(AuthenticationTokenReceiveContext context)
{
throw new NotImplementedException();
}
}
// Now in my Startup.Auth.cs
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/api/token"),
Provider = new ApplicationOAuthProvider(PublicClientId,UserManagerFactory) ,
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(2),
AllowInsecureHttp = true,
RefreshTokenProvider = new RefreshTokenProvider() // This is my test
};
So now when someone requests a bearer_token
I am now sending a refresh_token
, which is great.
So now how do I uses this refresh_token to get a new bearer_token
, presumably I need to send a request to my token endpoint with some specific HTTP Headers set?
Just thinking out loud as I type... Should I handle refresh_token expiration in my SimpleRefreshTokenProvider
? How would a client obtain a new refresh_token
?
I could really do with some reading material / documentation because I don't want to get this wrong and would like to follow some sort of standard.