OWIN Security - How to Implement OAuth2 Refresh Tokens

Question

I am using the Web Api 2 template that comes with Visual Studio 2013 has some OWIN middleware to do User Authentication and the likes of   In the OAuthAuthorizationServerOptions I noticed that the OAuth2 Server is setup to hand out tokens that expire in 14 days   OAuthOptions   new OAuthAuthorizationServerOptions          TokenEndpointPath   new PathString   api token          Provider   new ApplicationOAuthProvider PublicClientId UserManagerFactory          AuthorizeEndpointPath   new PathString   api Account ExternalLogin          AccessTokenExpireTimeSpan   TimeSpan FromDays 14         AllowInsecureHttp   true       This is not suitable for my latest project  I would like to hand out short lived bearer tokens that can be refreshed using a refresh token  I have done lots of googling and can t find anything helpful   So this is how far I have managed to get  I have now reached the point of  WTF do I now    I have written a RefreshTokenProvider that implements IAuthenticationTokenProvider as per the RefreshTokenProvider property on OAuthAuthorizationServerOptions class       public class SimpleRefreshTokenProvider   IAuthenticationTokenProvider              private static ConcurrentDictionary lt string  AuthenticationTicket gt   refreshTokens   new ConcurrentDictionary lt string  AuthenticationTicket gt              public async Task CreateAsync AuthenticationTokenCreateContext context                        var guid   Guid NewGuid   ToString                   refreshTokens TryAdd guid  context Ticket                   hash               context SetToken guid                      public async Task ReceiveAsync AuthenticationTokenReceiveContext context                        AuthenticationTicket ticket               if   refreshTokens TryRemove context Token  out ticket                                 context SetTicket ticket                                    public void Create AuthenticationTokenCreateContext context                        throw new NotImplementedException                       public void Receive AuthenticationTokenReceiveContext context                        throw new NotImplementedException                            Now in my Startup Auth cs     OAuthOptions   new OAuthAuthorizationServerOptions               TokenEndpointPath   new PathString   api token            Provider   new ApplicationOAuthProvider PublicClientId UserManagerFactory            AuthorizeEndpointPath   new PathString   api Account ExternalLogin            AccessTokenExpireTimeSpan   TimeSpan FromMinutes 2           AllowInsecureHttp   true          RefreshTokenProvider   new RefreshTokenProvider      This is my test          So now when someone requests a bearer token I am now sending a refresh token  which is great   So now how do I uses this refresh token to get a new bearer token  presumably I need to send a request to my token endpoint with some specific HTTP Headers set   Just thinking out loud as I type    Should I handle refresh token expiration in my SimpleRefreshTokenProvider  How would a client obtain a new refresh token   I could really do with some reading material   documentation because I don t want to get this wrong and would like to follow some sort of standard

User · Accepted Answer

Just implemented my OWIN Service with Bearer (called access_token in the following) and Refresh Tokens. My insight into this is that you can use different flows. So it depends on the flow you want to use how you set your access_token and refresh_token expiration times.

I will describe two flows A and B in the follwing (I suggest what you want to have is flow B):

A) expiration time of access_token and refresh_token are the same as it is per default 1200 seconds or 20 minutes. This flow needs your client first to send client_id and client_secret with login data to get an access_token, refresh_token and expiration_time. With the refresh_token it is now possible to get a new access_token for 20 minutes (or whatever you set the AccessTokenExpireTimeSpan in the OAuthAuthorizationServerOptions to). For the reason that the expiration time of access_token and refresh_token are the same, your client is responsible to get a new access_token before the expiration time! E.g. your client could send a refresh POST call to your token endpoint with the body (remark: you should use https in production)

grant_type=refresh_token&client_id=xxxxxx&refresh_token=xxxxxxxx-xxxx-xxxx-xxxx-xxxxx

to get a new token after e.g. 19 minutes to prevent the tokens from expiration.

B) in this flow you want to have a short term expiration for your access_token and a long term expiration for your refresh_token. Lets assume for test purpose you set the access_token to expire in 10 seconds (AccessTokenExpireTimeSpan = TimeSpan.FromSeconds(10)) and the refresh_token to 5 Minutes. Now it comes to the interesting part setting the expiration time of refresh_token: You do this in your createAsync function in SimpleRefreshTokenProvider class like this:

var guid = Guid.NewGuid().ToString();


        //copy properties and set the desired lifetime of refresh token
        var refreshTokenProperties = new AuthenticationProperties(context.Ticket.Properties.Dictionary)
        {
            IssuedUtc = context.Ticket.Properties.IssuedUtc,
            ExpiresUtc = DateTime.UtcNow.AddMinutes(5) //SET DATETIME to 5 Minutes
            //ExpiresUtc = DateTime.UtcNow.AddMonths(3) 
        };
        /*CREATE A NEW TICKET WITH EXPIRATION TIME OF 5 MINUTES 
         *INCLUDING THE VALUES OF THE CONTEXT TICKET: SO ALL WE 
         *DO HERE IS TO ADD THE PROPERTIES IssuedUtc and 
         *ExpiredUtc to the TICKET*/
        var refreshTokenTicket = new AuthenticationTicket(context.Ticket.Identity, refreshTokenProperties);

        //saving the new refreshTokenTicket to a local var of Type ConcurrentDictionary<string,AuthenticationTicket>
        // consider storing only the hash of the handle
        RefreshTokens.TryAdd(guid, refreshTokenTicket);            
        context.SetToken(guid);

Now your client is able to send a POST call with a refresh_token to your token endpoint when the access_token is expired. The body part of the call may look like this: grant_type=refresh_token&client_id=xxxxxx&refresh_token=xxxxxxxx-xxxx-xxxx-xxxx-xx

One important thing is that you may want to use this code not only in your CreateAsync function but also in your Create function. So you should consider to use your own function (e.g. called CreateTokenInternal) for the above code. Here you can find implementations of different flows including refresh_token flow(but without setting the expiration time of the refresh_token)

Here is one sample implementation of IAuthenticationTokenProvider on github (with setting the expiration time of the refresh_token)

I am sorry that I can't help out with further materials than the OAuth Specs and the Microsoft API Documentation. I would post the links here but my reputation doesn't let me post more than 2 links....

I hope this may help some others to spare time when trying to implement OAuth2.0 with refresh_token expiration time different to access_token expiration time. I couldn't find an example implementation on the web (except the one of thinktecture linked above) and it took me some hours of investigation until it worked for me.

New info: In my case I have two different possibilities to receive tokens. One is to receive a valid access_token. There I have to send a POST call with a String body in format application/x-www-form-urlencoded with the following data

client_id=YOURCLIENTID&grant_type=password&username=YOURUSERNAME&password=YOURPASSWORD

Second is if access_token is not valid anymore we can try the refresh_token by sending a POST call with a String body in format application/x-www-form-urlencoded with the following data grant_type=refresh_token&client_id=YOURCLIENTID&refresh_token=YOURREFRESHTOKENGUID

User · Answer

I don t think that you should be using an array to maintain tokens  Neither you need a guid as a token   You can easily use context SerializeTicket     See my below code   public class RefreshTokenProvider   IAuthenticationTokenProvider       public async Task CreateAsync AuthenticationTokenCreateContext context                Create context              public async Task ReceiveAsync AuthenticationTokenReceiveContext context                Receive context              public void Create AuthenticationTokenCreateContext context                object inputs          context OwinContext Environment TryGetValue  Microsoft Owin Form collection   out inputs            var grantType     FormCollection inputs   GetValues  grant type             var grant   grantType FirstOrDefault             if  grant    null    grant Equals  refresh token    return           context Ticket Properties ExpiresUtc   DateTime UtcNow AddDays Constants RefreshTokenExpiryInDays            context SetToken context SerializeTicket                public void Receive AuthenticationTokenReceiveContext context                context DeserializeTicket context Token            if  context Ticket    null                        context Response StatusCode   400              context Response ContentType    application json               context Response ReasonPhrase    invalid token               return                     if  context Ticket Properties ExpiresUtc  lt   DateTime UtcNow                        context Response StatusCode   401              context Response ContentType    application json               context Response ReasonPhrase    unauthorized               return                     context Ticket Properties ExpiresUtc   DateTime UtcNow AddDays Constants RefreshTokenExpiryInDays           context SetTicket context Ticket

User · Answer

Freddy s answer helped me a lot to get this working  For the sake of completeness here s how you could implement hashing of the token   private string ComputeHash Guid input        byte   source   input ToByteArray         var encoder   new SHA256Managed        byte   encoded   encoder ComputeHash source        return Convert ToBase64String encoded       In CreateAsync   var guid   Guid NewGuid         refreshTokens TryAdd ComputeHash guid   refreshTokenTicket   context SetToken guid ToString       ReceiveAsync   public async Task ReceiveAsync AuthenticationTokenReceiveContext context        Guid token       if  Guid TryParse context Token  out token                 AuthenticationTicket ticket           if   refreshTokens TryRemove ComputeHash token   out ticket                         context SetTicket ticket

User · Answer

You need to implement RefreshTokenProvider  First create class for RefreshTokenProvider ie   public class ApplicationRefreshTokenProvider   AuthenticationTokenProvider       public override void Create AuthenticationTokenCreateContext context                   Expiration time in seconds         int expire   5 60          context Ticket Properties ExpiresUtc   new DateTimeOffset DateTime Now AddSeconds expire            context SetToken context SerializeTicket                public override void Receive AuthenticationTokenReceiveContext context                context DeserializeTicket context Token             Then add instance to OAuthOptions   OAuthOptions   new OAuthAuthorizationServerOptions       TokenEndpointPath   new PathString   authenticate        Provider   new ApplicationOAuthProvider        AccessTokenExpireTimeSpan   TimeSpan FromSeconds expire       RefreshTokenProvider   new ApplicationRefreshTokenProvider

[c#] OWIN Security - How to Implement OAuth2 Refresh Tokens

Examples related to c#

Examples related to asp.net-web-api

Examples related to oauth-2.0

Examples related to asp.net-identity

Examples related to owin