I am setting up refresh tokens in a web service that is based on the Web API 2 template. It is going to be consumed by both our own website as well as external clients.
After researching for some time, the general recommendation on securing the refresh token from XSS attacks is to store the identifier within an encrypted cookie. I know that I could return both the authentication and refresh tokens in cookies by using the UseCookieAuthentication method instead of the UseOAuthBearerAuthentication, but that would then cause complications when I'm dealing with external clients.
The code I currently have for setting up the configuration is:
public void ConfigureAuth(IAppBuilder app)
{
var applicationProvider = new ApplicationOAuthProvider();
var applicationRefreshProvider = new ApplicationRefreshTokenProvider();
var oAuthServerOptions = new OAuthAuthorizationServerOptions
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
Provider = applicationProvider,
RefreshTokenProvider = applicationRefreshProvider
};
// Token Generation
app.UseOAuthAuthorizationServer(oAuthServerOptions);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}
A workaround I could implement would be adding a method to a controller on the resource server that then does that transformation step for the javascript based clients, but that doesn't quite make sense to me to do.
Is there a way I can accomplish this in the auth configuration, and is that the correct approach to take? I don't want to take the wrong direction if I can help it.