How to refresh access token

11
votes

I have an Asp.net 2.0 core web application which connects to an Identity server 4 application for authentication. There is also an API involved. The API consumes an access token as a bearer token.

My startup:

services.AddAuthentication(options =>
            {
                options.DefaultScheme = "Cookies";
                options.DefaultChallengeScheme = "oidc";
            })
            .AddCookie("Cookies")
            .AddOpenIdConnect("oidc", options =>
            {
                options.SignInScheme = "Cookies";
                options.Authority = idsEndPoint;
                options.RequireHttpsMetadata = false;
                options.ClientId = "testclient";
                options.ClientSecret = "secret";
                options.ResponseType = "code id_token";
                options.SaveTokens = true;
                options.GetClaimsFromUserInfoEndpoint = true;
                options.Scope.Add("testapi");
            });

Controller:

In my controllers i can see my tokens and they are all populated and i can use the access token in my API calls.

var accessToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
var refreshToken = await HttpContext.GetTokenAsync(IdentityConstants.HttpContextHeaders.RefreshToken);
var idToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.IdToken);

Question:

My problem occurs after one hour where the access token expires. It appears that it is not automatically being refreshed. I am wondering if this is a setting in my authentication that will cause it to refresh it. However I have been unable to find out how I am supposed to force it to refresh the access token after it has expired.

My current solution is to refresh it myself but I would have thought this would be built into the cookie middleware.

2
c#asp.net-coreoauth.net-coreidentityserver4
How to handle expired access token in asp.net core using refresh token with OpenId Connect: stackoverflow.com/questions/40032851/… - Houssem Romdhani
@HoussemRomdhani nice try but thats what my old application used this is .net core 2.0 so that doesnt work anymore that's 1.1x - DaImTo
Try this configuration: github.com/mderriey/TokenRenewal/blob/master/src/MvcClient/… - Houssem Romdhani
wow that looks like something useful thanks. I will get back to you. You may want to add it as an answer at any rate. - DaImTo
Has there been no improvements in .net core to manage this automatically ? - CurlyFire

2 Answers

1
votes

for automatic refresh token, add options.Scope.Add("offline_access"); to AddOpenIdConnect() options.

0
votes

This approach uses OpenIddict, you need to implement the main configuration inside startup.cs. The next Link is an excellent example of this implementation. Hope be useful
https://github.com/openiddict/openiddict-samples/tree/dev/samples/RefreshFlow

     if (request.IsPasswordGrantType())
        {

            if (!Email_Regex_Validation.Check_Valid_Email_Regex(request.Username))
            {
                return BadRequest(Resources.RegexEmail);
            }

            SpLoginUser stored = new SpLoginUser(_context);

            string result = stored.Usp_Login_User(request.Username, request.Password);

            if (!result.Contains("successfully"))
            {
                return Forbid(OpenIddictServerDefaults.AuthenticationScheme);
            }

            // Create a new ClaimsIdentity holding the user identity.
            var identity = new ClaimsIdentity(
                OpenIddictServerDefaults.AuthenticationScheme,
                OpenIdConnectConstants.Claims.Name,
                OpenIdConnectConstants.Claims.Role);


            identity.AddClaim(Resources.issuer, Resources.secret,
                OpenIdConnectConstants.Destinations.IdentityToken);
            identity.AddClaim(OpenIdConnectConstants.Claims.Name, request.Username,
                OpenIdConnectConstants.Destinations.IdentityToken);


            var ticket = new AuthenticationTicket(new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme);
            ticket.SetScopes(OpenIdConnectConstants.Scopes.OfflineAccess);

            // Ask OpenIddict to generate a new token and return an OAuth2 token response.
            return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);

        }