How to implement a offline token with asp.net web api

0
votes

I already have a rest API with bearer token implemented and now I need allow the api's client can connect with api with the same token for 1 year for example. I thought that implementing refresh token in API will be possible achieve my goal, but is not possible take a new token with a refresh token after the original token is expired and I think that is a bad smell increase the time to every token in the API being that client must choose whether it wants a offline token or not.

My API was built with ASP.NET Web API 2 where already exists a implementation of the OAuth 2.

1
asp.netapirestoauth-2.0asp.net-web-api2

1 Answers

0
votes

Well, I was wrong, because is possible refresh a token same when the original token is expired, but we need ensure that each token have your own expiration date and the refresh token has your expiration date greater than the authentication token.

Here I have a code sample to show how to set the refresh token expiration date.

public async Task CreateAsync(AuthenticationTokenCreateContext context)
{
    var refreshToken = Guid.NewGuid().ToString("n");

    context.Ticket.Properties.IssuedUtc = DateTime.UtcNow;
    context.Ticket.Properties.ExpiresUtc = DateTime.UtcNow.AddYears(1);

    context.SetToken(refreshToken);
}

The above is setting the refresh token expiration to 1 year from now.