OWIN OAuth 2.0 Authorization Server Refresh Token

1
votes

I run this sample application:

http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

Downloaded from:

http://code.msdn.microsoft.com/OWIN-OAuth-20-Authorization-ba2b8783

In the AuthorizationServer project Startup.Auth.cs file, I added 

AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(1),

inside 

app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions {

So that the token will expire after 1 minute.

After 1 minute and the token expired, I try to refresh the token, it gives me the error

The remote server returned an error: (400) Bad Request.

My questions is:

Is it possible to refresh the token if the token expire? Or how about automatically refresh the expired token if the user tries to access Protected Resource?

1
oauthowin
Yes, it is possible. You must return refresh token with access token and client will be able to get new access token using refresh token. For more information you can see this sample [link](leastprivilege.com/2013/11/15/… ) - Sargis Koshkaryan

1 Answers

2
votes

By default, OWIN rejects refresh token if related authentication token expired already. Here is example, how you can override this behavior:

public class RefreshTokenProvider : IAuthenticationTokenProvider
{
        public async Task ReceiveAsync(AuthenticationTokenReceiveContext context)
        {
            var ticket = LoadAuthenticationTicketFromDatabase();
            context.DeserializeTicket(ticket);
            context.Ticket.Properties.ExpiresUtc = DateTime.MaxValue;
    }
}