OWIN Security - How to Implement OAuth2 Refresh Tokens

Question

I am using the Web Api 2 template that comes with Visual Studio 2013 has some OWIN middleware to do User Authentication and the likes of.

In the OAuthAuthorizationServerOptions I noticed that the OAuth2 Server is setup to hand out tokens that expire in 14 days

 OAuthOptions = new OAuthAuthorizationServerOptions
 {
      TokenEndpointPath = new PathString("/api/token"),
      Provider = new ApplicationOAuthProvider(PublicClientId,UserManagerFactory) ,
      AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
      AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
      AllowInsecureHttp = true
 };

This is not suitable for my latest project. I would like to hand out short lived bearer_tokens that can be refreshed using a refresh_token

I have done lots of googling and can't find anything helpful.

So this is how far I have managed to get. I have now reached the point of "WTF do I now".

I have written a RefreshTokenProvider that implements IAuthenticationTokenProvider as per the RefreshTokenProvider property on OAuthAuthorizationServerOptions class:

    public class SimpleRefreshTokenProvider : IAuthenticationTokenProvider
    {
       private static ConcurrentDictionary<string, AuthenticationTicket> _refreshTokens = new ConcurrentDictionary<string, AuthenticationTicket>();

        public async Task CreateAsync(AuthenticationTokenCreateContext context)
        {
            var guid = Guid.NewGuid().ToString();


            _refreshTokens.TryAdd(guid, context.Ticket);

            // hash??
            context.SetToken(guid);
        }

        public async Task ReceiveAsync(AuthenticationTokenReceiveContext context)
        {
            AuthenticationTicket ticket;

            if (_refreshTokens.TryRemove(context.Token, out ticket))
            {
                context.SetTicket(ticket);
            }
        }

        public void Create(AuthenticationTokenCreateContext context)
        {
            throw new NotImplementedException();
        }

        public void Receive(AuthenticationTokenReceiveContext context)
        {
            throw new NotImplementedException();
        }
    }

    // Now in my Startup.Auth.cs
    OAuthOptions = new OAuthAuthorizationServerOptions
    {
        TokenEndpointPath = new PathString("/api/token"),
        Provider = new ApplicationOAuthProvider(PublicClientId,UserManagerFactory) ,
        AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
        AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(2),
        AllowInsecureHttp = true,
        RefreshTokenProvider = new RefreshTokenProvider() // This is my test
    };

So now when someone requests a bearer_token I am now sending a refresh_token, which is great.

So now how do I uses this refresh_token to get a new bearer_token, presumably I need to send a request to my token endpoint with some specific HTTP Headers set?

Just thinking out loud as I type... Should I handle refresh_token expiration in my SimpleRefreshTokenProvider? How would a client obtain a new refresh_token?

I could really do with some reading material / documentation because I don't want to get this wrong and would like to follow some sort of standard.

User · Answer

I don t think that you should be using an array to maintain tokens  Neither you need a guid as a token   You can easily use context SerializeTicket     See my below code   public class RefreshTokenProvider   IAuthenticationTokenProvider       public async Task CreateAsync AuthenticationTokenCreateContext context                Create context              public async Task ReceiveAsync AuthenticationTokenReceiveContext context                Receive context              public void Create AuthenticationTokenCreateContext context                object inputs          context OwinContext Environment TryGetValue  Microsoft Owin Form collection   out inputs            var grantType     FormCollection inputs   GetValues  grant type             var grant   grantType FirstOrDefault             if  grant    null    grant Equals  refresh token    return           context Ticket Properties ExpiresUtc   DateTime UtcNow AddDays Constants RefreshTokenExpiryInDays            context SetToken context SerializeTicket                public void Receive AuthenticationTokenReceiveContext context                context DeserializeTicket context Token            if  context Ticket    null                        context Response StatusCode   400              context Response ContentType    application json               context Response ReasonPhrase    invalid token               return                     if  context Ticket Properties ExpiresUtc  lt   DateTime UtcNow                        context Response StatusCode   401              context Response ContentType    application json               context Response ReasonPhrase    unauthorized               return                     context Ticket Properties ExpiresUtc   DateTime UtcNow AddDays Constants RefreshTokenExpiryInDays           context SetTicket context Ticket

User · Answer

You need to implement RefreshTokenProvider  First create class for RefreshTokenProvider ie   public class ApplicationRefreshTokenProvider   AuthenticationTokenProvider       public override void Create AuthenticationTokenCreateContext context                   Expiration time in seconds         int expire   5 60          context Ticket Properties ExpiresUtc   new DateTimeOffset DateTime Now AddSeconds expire            context SetToken context SerializeTicket                public override void Receive AuthenticationTokenReceiveContext context                context DeserializeTicket context Token             Then add instance to OAuthOptions   OAuthOptions   new OAuthAuthorizationServerOptions       TokenEndpointPath   new PathString   authenticate        Provider   new ApplicationOAuthProvider        AccessTokenExpireTimeSpan   TimeSpan FromSeconds expire       RefreshTokenProvider   new ApplicationRefreshTokenProvider

User · Answer

Just implemented my OWIN Service with Bearer  called access token in the following  and Refresh Tokens  My insight into this is that you can use different flows  So it depends on the flow you want to use how you set your access token and refresh token expiration times    I will describe two flows A and B in the follwing  I suggest what you want to have is flow B    A  expiration time of access token and refresh token are the same as it is per default 1200 seconds or 20 minutes  This flow needs your client first to send client id and client secret with login data to get an access token  refresh token and expiration time  With the refresh token it is now possible to get a new access token for 20 minutes  or whatever you set the AccessTokenExpireTimeSpan in the OAuthAuthorizationServerOptions to   For the reason that the expiration time of access token and refresh token are the same  your client is responsible to get a new access token before the expiration time  E g  your client could send a refresh POST call to your token endpoint with the body  remark  you should use https in production    grant type refresh token amp client id xxxxxx amp refresh token xxxxxxxx-xxxx-xxxx-xxxx-xxxxx   to get a new token after e g  19 minutes to prevent the tokens from expiration    B  in this flow you want to have a short term expiration for your access token and a long term expiration for your refresh token  Lets assume for test purpose you set the access token to expire in 10 seconds  AccessTokenExpireTimeSpan   TimeSpan FromSeconds 10   and the refresh token to 5 Minutes  Now it comes to the interesting part setting the expiration time of refresh token  You do this in your createAsync function in SimpleRefreshTokenProvider class like this   var guid   Guid NewGuid   ToString                copy properties and set the desired lifetime of refresh token         var refreshTokenProperties   new AuthenticationProperties context Ticket Properties Dictionary                        IssuedUtc   context Ticket Properties IssuedUtc              ExpiresUtc   DateTime UtcNow AddMinutes 5    SET DATETIME to 5 Minutes               ExpiresUtc   DateTime UtcNow AddMonths 3                        CREATE A NEW TICKET WITH EXPIRATION TIME OF 5 MINUTES            INCLUDING THE VALUES OF THE CONTEXT TICKET  SO ALL WE            DO HERE IS TO ADD THE PROPERTIES IssuedUtc and            ExpiredUtc to the TICKET           var refreshTokenTicket   new AuthenticationTicket context Ticket Identity  refreshTokenProperties              saving the new refreshTokenTicket to a local var of Type ConcurrentDictionary lt string AuthenticationTicket gt             consider storing only the hash of the handle         RefreshTokens TryAdd guid  refreshTokenTicket                       context SetToken guid     Now your client is able to send a POST call with a refresh token to your token endpoint when the access token is expired  The body part of the call may look like this  grant type refresh token amp client id xxxxxx amp refresh token xxxxxxxx-xxxx-xxxx-xxxx-xx   One important thing is that you may want to use this code not only in your CreateAsync function but also in your Create function  So you should consider to use your own function  e g  called CreateTokenInternal  for the above code  Here you can find implementations of different flows including refresh token flow but without setting the expiration time of the refresh token   Here is one sample implementation of IAuthenticationTokenProvider on github  with setting the expiration time of the refresh token   I am sorry that I can t help out with further materials than the OAuth Specs and the Microsoft API Documentation  I would post the links here but my reputation doesn t let me post more than 2 links      I hope this may help some others to spare time when trying to implement OAuth2 0 with refresh token expiration time different to access token expiration time  I couldn t find an example implementation on the web  except the one of thinktecture linked above  and it took me some hours of investigation until it worked for me   New info  In my case I have two different possibilities to receive tokens  One is to receive a valid access token  There I have to send a POST call with a String body in format application x-www-form-urlencoded with the following data    client id YOURCLIENTID amp grant type password amp username YOURUSERNAME amp password YOURPASSWORD   Second is if access token is not valid anymore we can try the refresh token by sending a POST call with a String body in format application x-www-form-urlencoded with the following data grant type refresh token amp client id YOURCLIENTID amp refresh token YOURREFRESHTOKENGUID

User · Answer

Freddy s answer helped me a lot to get this working  For the sake of completeness here s how you could implement hashing of the token   private string ComputeHash Guid input        byte   source   input ToByteArray         var encoder   new SHA256Managed        byte   encoded   encoder ComputeHash source        return Convert ToBase64String encoded       In CreateAsync   var guid   Guid NewGuid         refreshTokens TryAdd ComputeHash guid   refreshTokenTicket   context SetToken guid ToString       ReceiveAsync   public async Task ReceiveAsync AuthenticationTokenReceiveContext context        Guid token       if  Guid TryParse context Token  out token                 AuthenticationTicket ticket           if   refreshTokens TryRemove ComputeHash token   out ticket                         context SetTicket ticket

[c#] OWIN Security - How to Implement OAuth2 Refresh Tokens

The answer is

Examples related to c#

Examples related to asp.net-web-api

Examples related to oauth-2.0

Examples related to asp.net-identity

Examples related to owin

Tags