Using OAuth2 refresh tokens in an ASPMVC application

1
votes

Scenario

I am using the OWIN cookie authentication middleware to protected my site as follows

public void ConfigureAuth(IAppBuilder app)
{
   app.UseCookieAuthentication(new CookieAuthenticationOptions
   {
      AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
      LoginPath = new PathString("/Account/Login"),
      ExpireTimeSpan = new TimeSpan(0, 20, 0),
      SlidingExpiration = true
   });
}

On login, I use the resource owner password flow to call my token service and retrieve both an access and refresh token.

I then add the refresh token, access token and the time the access token expires to my claims and then call the following to to persist this information to my authentication cookie.

HttpContext .GetOwinContext() .Authentication .SignIn(claimsIdentityWithTokenAndExpiresAtClaim);

Then before calling any service, I can retrieve the access token from my current claims and associate it with the service call.

Problem

Before calling any service, I should really check if the access token has expired and if so use the refresh token to get a new one. Once I have a new access token, I can call the service, however I then need to persist a new authentication cookie with the new access token, refresh token and expiry time.

Is there any nice way to do this transparently to the caller of the service?

Attempted solutions

1) Check before calling every service

[Authorize]
public async Task<ActionResult> CallService(ClaimsIdentity claimsIdentity)
{
    var accessToken = GetAccessToken();
    var service = new Service(accessToken).DoSomething();
}

private string GetAccessToken(ClaimsIdentity claimsIdentity) {

    if (claimsIdentity.HasAccessTokenExpired())
    {
        // call sts, get new tokens, create new identity with tokens
        var newClaimsIdentity = ...

        HttpContext
            .GetOwinContext()
            .Authentication
            .SignIn(newClaimsIdentity);

        return newClaimsIdentity;

    } else {
        return claimsIdentity.AccessToken();
    }
}

This would work, but it's not sustainable. Also I could not longer use dependency injection to inject my services as the service needs the access token at call time and not construction time.

2) Use some kind of service factory

Before create the service with its access token, it would perform the refresh if needed. The issue it that I'm not sure how I can get the factory to return both a service and also set the cookie within the implementation in a nice way.

3) Do it in a action filter instead.

The thinking is that the session cookie has a 20 minutes sliding expiry. On ever page request, I can check if the access token is more than halfway through it's expiry (ie. if the access token has an expiry of an hour, check to see if it has less than 30 minutes to expiry). If so, perform the refresh. The services can rely on the access token not being expired. Lets say you hit the page just before the 30 minutes expiry and stayed on the page for 30 minutes, the assumption is the session timeout (20 minutes idle) will kick in before you call the service and you wil be logged off.

4) Do nothing and catch the exception from calling a service with an expired token

I couldn't figure out a nice way to get a new token and retry the service call again without having to worry about side effects etc. Plus it would be nicer to check for expiration first, rather than wait for the time it takes the service to fail.

Neither of these solutions are particularly elegant. How are others handling this?

1
oauth-2.0access-token
Do you have any questions or comments on my answer? - Soma Yarlagadda
I was more interested in a solution for MVC. I would be curious to see the custom middleware implementation. But my question was really about a) At which point in time do you check for access token expiry and b) how do you transparently pass the access token to services that need it (so they can add to their authorization header). Also I was suggesting storing the access token, refresh tokens and expires in the authentication cookie. I wasn't suggesting passing them to the services as claims. - kimsagro
Please see my updated answer. I have spend some quality time researching what would be the best approach on the server side. Please let me know if you have any questions. Thank you. - Soma Yarlagadda

1 Answers

1
votes

Update:

I spent some time looking in to various options on how to implement this efficiently at the server side with your current setup.

There are multiple ways (like Custom-Middleware, AuthenticationFilter, AuthorizationFilter or ActionFilter) to achieve this on the server side. But, looking at these options I would lean towards AuthroziationFilter. The reason are:

  1. AuthroziationFilters gets executed after AuthenticationFilters. So, it is early in the pipe line that you can make a decision of whether to get a new token or not based on expiry time. Also, we can be sure that the user is authenticated.

  2. The scenario we are dealing with is about access_token which is related to authorization than the authentication.

  3. With filters we have the advantage of selectively using it with actions that are explicitly decorated with that filter unlike the custom middleware which gets executed with every request. This is useful as there will be cases where you do not want to get a refreshed token (since the current one is still valid as we are getting new token well before the expiration) when you are not calling any service.

  4. Actionfilters are called little late in the pipeline also we do not have a case for after executing method in an action filter.

Here is a question from Stackoverflow that has some nice details on how to implement an AuthorizationFilter with dependency injection.

Coming to attaching the Authorization header to the service:

This happens inside your action method. By this time you are sure that the token is valid. So I would create an abstract base class that instantiates a HttpClient class and sets the authorization header. The service class implements that base class and uses the HttpClient to call the web service. This approach is clean as consumers of your setup do not have to know how and when you are getting and attaching the token to the outgoing request for web service. Also, you are getting and attaching the refreshed access_token only when you are calling the web service.

Here is some sample code (please note that I haven't fully tested this code, this is to give you an idea of how to implement):

public class MyAuthorizeAttribute : FilterAttribute, IAuthorizationFilter
    {
        private const string AuthTokenKey = "Authorization";

        public void OnAuthorization(AuthorizationContext filterContext)
        {
            var accessToken = string.Empty;
            var bearerToken = filterContext.HttpContext.Request.Headers[AuthTokenKey];

            if (!string.IsNullOrWhiteSpace(bearerToken) && bearerToken.Trim().Length > 7)
            {
                accessToken = bearerToken.StartsWith("Bearer ") ? bearerToken.Substring(7) : bearerToken;
            }

            if (string.IsNullOrWhiteSpace(accessToken))
            {
                // Handle unauthorized result Unauthorized!
                filterContext.Result = new HttpUnauthorizedResult();
            }

            // call sts, get new token based on the expiration time. The grace time before which you want to
            //get new token can be based on your requirement. assign it to accessToken


            //Remove the existing token and re-add it
            filterContext.HttpContext.Request.Headers.Remove(AuthTokenKey);
            filterContext.HttpContext.Request.Headers[AuthTokenKey] = $"Bearer {accessToken}";
        }
    }


    public abstract class ServiceBase
    {
        protected readonly HttpClient Client;

        protected ServiceBase()
        {
            var accessToken = HttpContext.Current.Request.Headers["Authorization"];
            Client = new HttpClient();
            Client.DefaultRequestHeaders.Add("Authorization", accessToken);
        }
    }

    public class Service : ServiceBase
    {
        public async Task<string> TestGet()
        {
            return await Client.GetStringAsync("www.google.com");
        }
    }

    public class TestController : Controller
    {
        [Authorize]
        public async Task<ActionResult> CallService()
        {
            var service = new Service();
            var testData = await service.TestGet();
            return Content(testData);
        }
    }

Please note that using the Client Credentials flow from OAuth 2.0 spec is the approach we need to take when calling an API. Also, the JavaScript solution feels more elegant for me. But, I am sure you have requirements that might be forcing you to do it the way you want. Please let me know if you have any questions are comments. Thank you.

Adding access token, refresh token and expires at to the claims and passing it to the following service may not be a good solution. Claims are more suited for identifying the user information/ authorization information. Also, the OpenId spec specifies that the access token should be sent as part of the authorization header only. We should deal with the problem of expired/ expiring tokens in a different way.

At the client, you can automate the process of getting a new access token well before its expiration using this great Javascript library oidc-client. Now you send this new and valid access token as part of your headers to the server and the server will pass it to the following APIs. As a precaution, you can use the same library to validate the expiration time of the token before sending it to the server. This is much cleaner and better solution in my opinion. There are options to silently update the token without the user noticing it. The library uses a an iframe under the hood to update the token. Here is a link for a video in which the author of the library Brock Allen explains the same concepts. The implementation of this functionality is very straightforward. Examples of how the library can be used is here. The JS call we are interested in would look like:

var settings = {
    authority: 'http://localhost:5000/oidc',
    client_id: 'js.tokenmanager',
    redirect_uri: 'http://localhost:5000/user-manager-sample.html',
    post_logout_redirect_uri: 'http://localhost:5000/user-manager-sample.html',
    response_type: 'id_token token',
    scope: 'openid email roles',

    popup_redirect_uri:'http://localhost:5000/user-manager-sample-popup.html',

    silent_redirect_uri:'http://localhost:5000/user-manager-sample-silent.html',
    automaticSilentRenew:true,

    filterProtocolClaims: true,
    loadUserInfo: true
};
var mgr = new Oidc.UserManager(settings);


function iframeSignin() {
    mgr.signinSilent({data:'some data'}).then(function(user) {
        log("signed in", user);
    }).catch(function(err) {
        log(err);
    });
}

The mgr is an instance of

FYI, we can achieve similar functionality at the server by building a custom middleware and using it as part of the request flow in a MessageHandler. Please let me know if you have any questions.

Thanks, Soma.