Remove From My Forums

How refresh token works and save us

Question
0

Sign in to vote

User-466819921 posted

Still i do not understand refresh token. so requesting please tell me how it works and why should i use it with advantage ?

i know what is access token. when we access web api first time then we send user credentials and web api validate it and return access token. after few minute access token expire then we need to send credentials again to get access token.

to avoid sending user credentials again and again when access token expire that is why refresh tone comes to picture. so my question is when first time access token is generated then refresh token is also generated and send to client ?

do i need to save access token and refresh token in db again user id to validate it that are those valid or not means just to check whether it was generated by our system ?

how refresh token prevent to send client credentials and save us ?

refresh token is one time means for every request we need to send a new refresh tone along with access token whether access token expire or not to client ?

please tell me refresh token story nicely with example.

also please provide some links which guide me how to implement refresh token when working with mvc 5, web api 2 with VS 2013 IDE. thanks

Thursday, July 5, 2018 7:54 PM

All replies

User36583972 posted

Hi dev_dona,

When you sent the token to the Web API, the Web API will check the token. If the access_token expired time is reached, the access will be refused.

You need to acquire the new token or try to extend the time through the following code in the Web API. We need to decide whether we need to get token again according to the return information of Web API.

            //First Token decryption using Microsoft.Owin.Security;
            AuthenticationTicket ticket = Startup.OAuthOptions.AccessTokenFormat.Unprotect(Token);
            ClaimsIdentity identity = ticket.Identity;
            if (ticket != null && (ticket.Properties != null && ticket.Properties.ExpiresUtc.HasValue))
            {
                if (ticket.Properties.ExpiresUtc.Value < DateTimeOffset.UtcNow)
                {
                    //Change the time - Increased 36000 seconds
                    ticket.Properties.ExpiresUtc.Value.AddSeconds(36000);
                }
            }
            //Token encryption protection
            string token = Startup.OAuthOptions.AccessTokenFormat.Protect(ticket);

You can refer the following sample.

Secure a Web API with Individual Accounts and Local Login in ASP.NET Web API 2.2
https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/individual-accounts-in-web-api

Best Regards,

Yong Lu

Friday, July 6, 2018 5:40 AM

0

Sign in to vote

User-466819921 posted

your answer does not match with my questions. i asked several questions based on refresh token. so please read my questions and answer one by one.

i do not understand your code and its objective. so please explain when to use your code. thanks

Friday, July 6, 2018 5:23 PM
0

Sign in to vote

User475983607 posted

dev_dona
Still i do not understand refresh token. so requesting please tell me how it works and why should i use it with advantage ?

I'll assume this question is related to the OAuth protocol. A general description of refresh tokens can be found at the following link.

https://auth0.com/learn/refresh-tokens/

The refresh token spec is located the rfc.

https://tools.ietf.org/html/rfc6749#page-10

dev_dona
to avoid sending user credentials again and again when access token expire that is why refresh tone comes to picture. so my question is when first time access token is generated then refresh token is also generated and send to client ?

It depends on the service and flow. You'll need to read the support docs for the service you as using. If you are building the OAuth service then you'll need to determine how you wish to handle/support refresh tokens.

dev_dona
do i need to save access token and refresh token in db again user id to validate it that are those valid or not means just to check whether it was generated by our system ?

If you are the client the you must take care in saving refresh tokens as refresh tokens are long lived and can be used to get new access tokens. If you building the an OAuth services, then this design element is up to you but I imagine you'll want to store the refresh token in a database so the token can be revoked if necessary.

dev_dona
how refresh token prevent to send client credentials and save us ?

I'm not sure what you're asking. Hopefully the refresh token specs answered this question.

dev_dona
refresh token is one time means for every request we need to send a new refresh tone along with access token whether access token expire or not to client ?

I do not understand your question. In my experience, a refresh token is used to renew an access token. Since the client can read the access token expiration the client can renew the access token at anytime.

dev_dona
please tell me refresh token story nicely with example.

IMHO, you cannot learn refresh tokens without a solid understanding of OAuth. You'll need to find a way to learn this stuff. Personally, I read the RFCs, more than once now...

dev_dona
also please provide some links which guide me how to implement refresh token when working with mvc 5, web api 2 with VS 2013 IDE. thanks

There is a basic authentication server tutorial on the ASP.NET docs.

https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

Friday, July 6, 2018 6:04 PM

Asked by:

How refresh token works and save us

Question

All replies

dev_dona

dev_dona

dev_dona

dev_dona

dev_dona

dev_dona

dev_dona