Hi all,
I've been looking though the docs, however I didn't found a sample code on how to work with refresh tokens. I've read this article but it seems like refresh tokens are being auto generated, which is definitely not my case. I have the following code in my Startup.cs:
public void ConfigureServices(IServiceCollection services)
{
services.AddSingleton(Configuration);
services.AddMvc();
services.AddCors();
services.AddDbContext<AppEntityContext>(options =>
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
services.AddIdentity<AppUser, IdentityRole>(o =>
{
o.Password.RequireDigit = false;
o.Password.RequireLowercase = false;
o.Password.RequireUppercase = false;
o.Password.RequireNonAlphanumeric = false;
o.Password.RequiredLength = 6;
})
.AddEntityFrameworkStores<AppEntityContext>()
.AddDefaultTokenProviders();
services.AddOpenIddict<AppUser, AppEntityContext>()
.EnableTokenEndpoint("/api/token")
.AllowRefreshTokenFlow()
.SetRefreshTokenLifetime(TimeSpan.FromHours(1))
.AllowPasswordFlow()
.DisableHttpsRequirement()
.AddEphemeralSigningKey();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory,
IAntiforgery antiforgery)
{
var secretKey = Tokens["SecretKey"];
var apiIssuerKey = Tokens["WebApiIssuerKey"];
var apiAudienceKey = Tokens["WebApiAudienceKey"];
app.UseCors(builder =>
{
builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader();
});
app.UseIdentity();
app.UseOAuthValidation();
app.UseOpenIddict();
app.UseMvc();
}
getToken: function (data, success, error) {
$http({
method: "POST",
url: apiUrl + "token",
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
data: "username=" + data.email + "&password=" + data.password + "&grant_type=password"
}).then(success, error);
},
So, the question is what configuration do I need to enable refresh token generation (and re-issue access token according to this refresh token)?
BTW, please share your thoughts if you have any suggestions on how make the openiddict configuration more secure.
@codethetalk seems reasonable. And what should I do to be able to exchange the refresh token for a new pair of tokens? Is there a built-in functionality for that purpose in openiddict? Or, if not, could you please give me an short example of how this can be done.
Thanks
@codethetalk thanks for your help :+1:
answer was deleted by mistake, retrieved it thanks to google cache.
from the original answer:-
Try appending scopes to your request. To retrieve refresh tokens, add 'offline_access' scope to your request.
http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

to test using postman, you could do the following

once you have a refresh token, you could later exchange it for another access token

@user09987 thanks, really help a lot!!!
Most helpful comment
answer was deleted by mistake, retrieved it thanks to google cache.
from the original answer:-
Try appending scopes to your request. To retrieve refresh tokens, add 'offline_access' scope to your request.
http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
to test using postman, you could do the following
once you have a refresh token, you could later exchange it for another access token