Openiddict-core: Refresh tokens

Created on 9 Aug 2016  路  4Comments  路  Source: openiddict/openiddict-core

Hi all,
I've been looking though the docs, however I didn't found a sample code on how to work with refresh tokens. I've read this article but it seems like refresh tokens are being auto generated, which is definitely not my case. I have the following code in my Startup.cs:

public void ConfigureServices(IServiceCollection services)
        {
            services.AddSingleton(Configuration);
            services.AddMvc();
            services.AddCors();
            services.AddDbContext<AppEntityContext>(options =>
                    options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
            services.AddIdentity<AppUser, IdentityRole>(o =>
                {
                    o.Password.RequireDigit = false;
                    o.Password.RequireLowercase = false;
                    o.Password.RequireUppercase = false;
                    o.Password.RequireNonAlphanumeric = false;
                    o.Password.RequiredLength = 6;
                })
                .AddEntityFrameworkStores<AppEntityContext>()
                .AddDefaultTokenProviders();
            services.AddOpenIddict<AppUser, AppEntityContext>()
                .EnableTokenEndpoint("/api/token")
                .AllowRefreshTokenFlow()
                .SetRefreshTokenLifetime(TimeSpan.FromHours(1))
                .AllowPasswordFlow()
                .DisableHttpsRequirement()
                .AddEphemeralSigningKey();
        }
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory,
            IAntiforgery antiforgery)
        {
            var secretKey = Tokens["SecretKey"];
            var apiIssuerKey = Tokens["WebApiIssuerKey"];
            var apiAudienceKey = Tokens["WebApiAudienceKey"];
            app.UseCors(builder =>
            {
                builder.AllowAnyOrigin()
                    .AllowAnyMethod()
                    .AllowAnyHeader();
            });
            app.UseIdentity();
            app.UseOAuthValidation();
            app.UseOpenIddict();
            app.UseMvc();
        }
getToken: function (data, success, error) {
                $http({
                    method: "POST",
                    url: apiUrl + "token",
                    headers: {
                        'Content-Type': 'application/x-www-form-urlencoded'
                    },
                    data: "username=" + data.email + "&password=" + data.password + "&grant_type=password"
                }).then(success, error);
            },

So, the question is what configuration do I need to enable refresh token generation (and re-issue access token according to this refresh token)?
BTW, please share your thoughts if you have any suggestions on how make the openiddict configuration more secure.

question

Most helpful comment

answer was deleted by mistake, retrieved it thanks to google cache.

from the original answer:-

Try appending scopes to your request. To retrieve refresh tokens, add 'offline_access' scope to your request.

http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

to test using postman, you could do the following

once you have a refresh token, you could later exchange it for another access token

All 4 comments

@codethetalk seems reasonable. And what should I do to be able to exchange the refresh token for a new pair of tokens? Is there a built-in functionality for that purpose in openiddict? Or, if not, could you please give me an short example of how this can be done.

Thanks

@codethetalk thanks for your help :+1:

answer was deleted by mistake, retrieved it thanks to google cache.

from the original answer:-

Try appending scopes to your request. To retrieve refresh tokens, add 'offline_access' scope to your request.

http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

to test using postman, you could do the following

once you have a refresh token, you could later exchange it for another access token

@user09987 thanks, really help a lot!!!

Was this page helpful?
0 / 5 - 0 ratings