locked
How refresh token works and save us RRS feed

  • Question

  • User-466819921 posted

    Still i do not understand refresh token. so requesting please tell me how it works and why should i use it with advantage ?

    i know what is access token. when we access web api first time then we send user credentials and web api validate it and return access token. after few minute access token expire then we need to send credentials again to get access token.

    to avoid sending user credentials again and again when access token expire that is why refresh tone comes to picture. so my question is when first time access token is generated then refresh token is also generated and send to client ?

    do i need to save access token and refresh token in db again user id to validate it that are those valid or not means just to check whether it was generated by our system ?

    how refresh token prevent to send client credentials and save us ?

    refresh token is one time means for every request we need to send a new refresh tone along with access token whether access token expire or not to client ?

    please tell me refresh token story nicely with example.

    also please provide some links which guide me how to implement refresh token when working with mvc 5, web api 2 with VS 2013 IDE. thanks

    Thursday, July 5, 2018 7:54 PM

All replies

  • User36583972 posted


    Hi dev_dona,

    When you sent the token to the Web API, the Web API will check the token. If the access_token expired time is reached, the access will be refused.

    You need to acquire the new token or try to extend the time through the following code in the Web API. We need to decide whether we need to get token again according to the return information of Web API.

                //First Token decryption using Microsoft.Owin.Security;
                AuthenticationTicket ticket = Startup.OAuthOptions.AccessTokenFormat.Unprotect(Token);
                ClaimsIdentity identity = ticket.Identity;
                if (ticket != null && (ticket.Properties != null && ticket.Properties.ExpiresUtc.HasValue))
                {
                    if (ticket.Properties.ExpiresUtc.Value < DateTimeOffset.UtcNow)
                    {
                        //Change the time - Increased 36000 seconds
                        ticket.Properties.ExpiresUtc.Value.AddSeconds(36000);
                    }
                }
                //Token encryption protection
                string token = Startup.OAuthOptions.AccessTokenFormat.Protect(ticket);


    You can refer the following sample.

    Secure a Web API with Individual Accounts and Local Login in ASP.NET Web API 2.2
    https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/individual-accounts-in-web-api

    Best Regards,

    Yong Lu

    Friday, July 6, 2018 5:40 AM
  • User-466819921 posted

    your answer does not match with my questions. i asked several questions based on refresh token. so please read my questions and answer one by one.

    i do not understand your code and its objective. so please explain when to use your code. thanks

    Friday, July 6, 2018 5:23 PM
  • User475983607 posted

    dev_dona

    Still i do not understand refresh token. so requesting please tell me how it works and why should i use it with advantage ?

    I'll assume this question is related to the OAuth protocol.  A general description of refresh tokens can be found at the following link.

    https://auth0.com/learn/refresh-tokens/

    The refresh token spec is located the rfc. 

    https://tools.ietf.org/html/rfc6749#page-10

    dev_dona

    to avoid sending user credentials again and again when access token expire that is why refresh tone comes to picture. so my question is when first time access token is generated then refresh token is also generated and send to client ?

    It depends on the service and flow.  You'll need to read the support docs for the service you as using.  If you are building the OAuth service then you'll need to determine how you wish to handle/support refresh tokens.

    dev_dona

    do i need to save access token and refresh token in db again user id to validate it that are those valid or not means just to check whether it was generated by our system ?

    If you are the client the you must take care in saving refresh tokens as refresh tokens are long lived and can be used to get new access tokens.  If you building the an OAuth services, then this design element is up to you but I imagine you'll want to store the refresh token in a database so the token can be revoked if necessary.

    dev_dona

    how refresh token prevent to send client credentials and save us ?

    I'm not sure what you're asking.  Hopefully the refresh token specs answered this question.

    dev_dona

    refresh token is one time means for every request we need to send a new refresh tone along with access token whether access token expire or not to client ?

    I do not understand your question.  In my experience, a refresh token is used to renew an access token.  Since the client can read the access token expiration the client can renew the access token at anytime.

    dev_dona

    please tell me refresh token story nicely with example.

    IMHO, you cannot learn refresh tokens without a solid understanding of OAuth.  You'll need to find a way to learn this stuff.  Personally, I read the RFCs, more than once now...

    dev_dona

    also please provide some links which guide me how to implement refresh token when working with mvc 5, web api 2 with VS 2013 IDE. thanks

    There is a basic authentication server tutorial on the ASP.NET docs. 

    https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

    Friday, July 6, 2018 6:04 PM