I'm using Oauth2 on my own Web API and ASP.NET C# to consume that API on a web app. On my web app, I'm making HttpWebRequests. When my access token expires, I'm calling a method "RefreshToken" that makes a request to get a new access token. This works beautifully without issue...except that the response I get back contains a new refresh token??? I was expecting just the new access token. I didn't even think this was possible without passing credentials again, but my grant_type=refresh_token is somehow generating a new refresh token, and it has me concerned.
1
votes
1 Answers
2
votes
Please see this post by Taiseer Joudeh (which is a phenomenal series of posts by the way).
You will find in the SimpleRefreshTokenProvider's CreateAsync method, the refresh token is deleted and re-created which provides "sliding expiration". If you don't want a new refresh token each time don't delete/recreate.
Here is the line of code I'm talking about:
var result = await tokenRepository.AddRefreshToken(token);
AddRefreshToken actually deletes and re-creates the token as seen here:
public async Task<bool> AddRefreshToken(AspNetRefreshToken token)
{
var existingToken = _context.AspNetRefreshTokens.SingleOrDefault(r => r.Subject == token.Subject && r.ClientId == token.ClientId);
if (existingToken != null)
{
await RemoveRefreshToken(existingToken);
}
_context.AspNetRefreshTokens.Add(token);
return await _context.SaveChangesAsync() > 0;
}
So again, without seeing your code I would say its working as expected. If you don't want sliding expiration, don't have the provider re-create the refresh token each time.
