Aspnetcore: Build a story around refreshing auth tokens

Created on 26 Apr 2018  Â·  4Comments  Â·  Source: dotnet/aspnetcore

Below is one option we've considered, but I'm re-framing this issue to build some story for refreshing auth tokens.

To improve the ability to "refresh" expired tokens, we should consider caching the access token provided by the factory. Then, when an HTTP request gets a 401, we call the factory again before re-issuing the request. That way the user can configure a process to "refresh" the token without forcing the connection to be reestablished

  • For the WebSockets transport, this has no effect. There is only ever a single request. This logic would not cover reconnecting in the event of something like #1159 (where the WebSocket is terminated when the token expires)
  • For the SSE transport, this only affects POST (send) requests. We would call the token factory again and re-issue the send. The unsent data would stay buffered in the pipe
  • For Long Polling, this affects POST requests like SSE, and the GET (poll) requests. The client would assume that a 401 error indicates that the data is still in the pipe for them to read. The server would be expected to keep data in the pipe in the case of a 401
5.0-candidate Blazor ♥ SignalR Design affected-medium area-signalr enhancement severity-major
Source
picture anurse
👍1

Most helpful comment

Expanding this to also cover the possibility of in-band refresh of the token. We may want to build a way to refresh the user principal without terminating the connection.

picture anurse on 1 Oct 2019
👍3

All 4 comments

We need to make sure that if two requests are outstanding simultaneously, the access token factory is only called once. So we should use a shared component and lock properly

anurse picture anurse on 26 Apr 2018

Also need to make sure any new new requests that need to get sent wait while the access token is refreshed.

The same behavior should happen while starting a connection. Requests that need to get sent with an access token should wait while a single call to the factory is made, and then get sent out once the token is ready.

I'm assuming the behavior between C# and TS should be the same.

JamesNK picture JamesNK on 26 Apr 2018
👍2

@SteveSandersonMS @rynowak FYI, just something that popped up in our backlog grooming and @BrennanConroy mentioned this was something you cared about. So we put our special happy label on it.

anurse picture anurse on 6 Aug 2019

Expanding this to also cover the possibility of in-band refresh of the token. We may want to build a way to refresh the user principal without terminating the connection.

anurse picture anurse on 1 Oct 2019
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

BrennanConroy picture BrennanConroy  Â·  3Comments
rynowak picture rynowak  Â·  3Comments
Pixel-Lord picture Pixel-Lord  Â·  3Comments
markrendle picture markrendle  Â·  3Comments
fayezmm picture fayezmm  Â·  3Comments