IdentityServer4 - Using Refresh Tokens after following the Quickstart for Hybrid MVC
Solution 1
The McvHybrid sample has a good example for getting the new access_token and refresh_token back into the principal. Here's a link to the github file with the code, which is located in RenewTokens() as shown below.
public async Task<IActionResult> RenewTokens()
{
var disco = await DiscoveryClient.GetAsync(Constants.Authority);
if (disco.IsError) throw new Exception(disco.Error);
var tokenClient = new TokenClient(disco.TokenEndpoint, "mvc.hybrid", "secret");
var rt = await HttpContext.Authentication.GetTokenAsync("refresh_token");
var tokenResult = await tokenClient.RequestRefreshTokenAsync(rt);
if (!tokenResult.IsError)
{
var old_id_token = await HttpContext.Authentication.GetTokenAsync("id_token");
var new_access_token = tokenResult.AccessToken;
var new_refresh_token = tokenResult.RefreshToken;
var tokens = new List<AuthenticationToken>();
tokens.Add(new AuthenticationToken { Name = OpenIdConnectParameterNames.IdToken, Value = old_id_token });
tokens.Add(new AuthenticationToken { Name = OpenIdConnectParameterNames.AccessToken, Value = new_access_token });
tokens.Add(new AuthenticationToken { Name = OpenIdConnectParameterNames.RefreshToken, Value = new_refresh_token });
var expiresAt = DateTime.UtcNow + TimeSpan.FromSeconds(tokenResult.ExpiresIn);
tokens.Add(new AuthenticationToken { Name = "expires_at", Value = expiresAt.ToString("o", CultureInfo.InvariantCulture) });
var info = await HttpContext.Authentication.GetAuthenticateInfoAsync("Cookies");
info.Properties.StoreTokens(tokens);
await HttpContext.Authentication.SignInAsync("Cookies", info.Principal, info.Properties);
return Redirect("~/Home/Secure");
}
ViewData["Error"] = tokenResult.Error;
return View("Error");
}
Solution 2
As an option to RenewTokens method from MVC Client example, I made one filter that makes the job automatically, when the token is about 10 minutes or less to expire.
public class TokenFilterAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var expat = filterContext.HttpContext.Authentication.GetTokenAsync("expires_at").Result;
var dataExp = DateTime.Parse(expat, null, DateTimeStyles.RoundtripKind);
if ((dataExp - DateTime.Now).TotalMinutes < 10)
{
var disco = DiscoveryClient.GetAsync("http://localhost:5000/").Result;
if (disco.IsError) throw new Exception(disco.Error);
var tokenClient = new TokenClient(disco.TokenEndpoint, "clientId",
"clientSecret");
var rt = filterContext.HttpContext.Authentication.GetTokenAsync("refresh_token").Result;
var tokenResult = tokenClient.RequestRefreshTokenAsync(rt).Result;
if (!tokenResult.IsError)
{
var oldIdToken = filterContext.HttpContext.Authentication.GetTokenAsync("id_token").Result;
var newAccessToken = tokenResult.AccessToken;
var newRefreshToken = tokenResult.RefreshToken;
var tokens = new List<AuthenticationToken>
{
new AuthenticationToken {Name = OpenIdConnectParameterNames.IdToken, Value = oldIdToken},
new AuthenticationToken
{
Name = OpenIdConnectParameterNames.AccessToken,
Value = newAccessToken
},
new AuthenticationToken
{
Name = OpenIdConnectParameterNames.RefreshToken,
Value = newRefreshToken
}
};
var expiresAt = DateTime.Now + TimeSpan.FromSeconds(tokenResult.ExpiresIn);
tokens.Add(new AuthenticationToken
{
Name = "expires_at",
Value = expiresAt.ToString("o", CultureInfo.InvariantCulture)
});
var info = filterContext.HttpContext.Authentication.GetAuthenticateInfoAsync("Cookies").Result;
info.Properties.StoreTokens(tokens);
filterContext.HttpContext.Authentication.SignInAsync("Cookies", info.Principal, info.Properties);
}
}
}
}
Usage:
[Authorize]
[TokenFilter]
public class HomeController : Controller
{}
Solution 3
First, be sure to use IdentityModel library (nuget it). Second, since Auth 2.0 is out there are some breaking changes and HttpContext.Authentication used in Rafaels solution is now obsolete. Here are the changes which should be made to get it up and running as a filter again
var expat = filterContext.HttpContext.Authentication.GetTokenAsync("expires_at").Result;
should become:
var expat = filterContext.HttpContext.GetTokenAsync("expires_at").Result;
var rt = filterContext.HttpContext.Authentication.GetTokenAsync("refresh_token").Result;
should become:
var rt = filterContext.HttpContext.GetTokenAsync("refresh_token").Result;
var oldIdToken = filterContext.HttpContext.Authentication.GetTokenAsync("id_token").Result;
should become
var oldIdToken = filterContext.HttpContext.GetTokenAsync("id_token").Result;
var info = filterContext.HttpContext.Authentication.GetAuthenticateInfoAsync("Cookies").Result;
should become
var info = filterContext.HttpContext.AuthenticateAsync("Cookies").Result;
filterContext.HttpContext.Authentication.SignInAsync("Cookies", info.Principal, info.Properties);
should become
filterContext.HttpContext.SignInAsync("Cookies", info.Principal, info.Properties);
And this is the a whole code:
public class TokenFilterAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var expat = filterContext.HttpContext.GetTokenAsync("expires_at").Result;
var dataExp = DateTime.Parse(expat, null, DateTimeStyles.RoundtripKind);
if ((dataExp - DateTime.Now).TotalMinutes < 10)
{
var disco = DiscoveryClient.GetAsync("http://localhost:5000/").Result;
if (disco.IsError) throw new Exception(disco.Error);
var tokenClient = new TokenClient(disco.TokenEndpoint, "clientId",
"clientSecret");
var rt = filterContext.HttpContext.GetTokenAsync("refresh_token").Result;
var tokenResult = tokenClient.RequestRefreshTokenAsync(rt).Result;
if (!tokenResult.IsError)
{
var oldIdToken = filterContext.HttpContext.GetTokenAsync("id_token").Result;
var newAccessToken = tokenResult.AccessToken;
var newRefreshToken = tokenResult.RefreshToken;
var tokens = new List<AuthenticationToken>
{
new AuthenticationToken {Name = OpenIdConnectParameterNames.IdToken, Value = oldIdToken},
new AuthenticationToken
{
Name = OpenIdConnectParameterNames.AccessToken,
Value = newAccessToken
},
new AuthenticationToken
{
Name = OpenIdConnectParameterNames.RefreshToken,
Value = newRefreshToken
}
};
var expiresAt = DateTime.Now + TimeSpan.FromSeconds(tokenResult.ExpiresIn);
tokens.Add(new AuthenticationToken
{
Name = "expires_at",
Value = expiresAt.ToString("o", CultureInfo.InvariantCulture)
});
var info = filterContext.HttpContext.AuthenticateAsync("Cookies").Result;
info.Properties.StoreTokens(tokens);
filterContext.HttpContext.SignInAsync("Cookies", info.Principal, info.Properties);
}
}
}
}
Usаge is the same as Rafael showed.
Solution 4
The IdentityServer4-Github has another (new?) MvcAutomaticTokenManagement example.
StartUp.cs calls the extension-method AddAutomaticTokenManagement(), which in turn calls lots of other stuff. Because the links in some other answers turned invalid, I would love to include all, but it is way too much code (and too many files) to quote - go check it out.
Most relevant(?) part:
public override async Task ValidatePrincipal(CookieValidatePrincipalContext context)
{
// [removed about 20 lines of code to get and check tokens here...]
if (dtRefresh < _clock.UtcNow)
{
var shouldRefresh = _pendingRefreshTokenRequests.TryAdd(refreshToken.Value, true);
if (shouldRefresh)
{
try
{
var response = await _service.RefreshTokenAsync(refreshToken.Value);
if (response.IsError)
{
_logger.LogWarning("Error refreshing token: {error}", response.Error);
return;
}
context.Properties.UpdateTokenValue("access_token", response.AccessToken);
context.Properties.UpdateTokenValue("refresh_token", response.RefreshToken);
var newExpiresAt = DateTime.UtcNow + TimeSpan.FromSeconds(response.ExpiresIn);
context.Properties.UpdateTokenValue("expires_at", newExpiresAt.ToString("o", CultureInfo.InvariantCulture));
await context.HttpContext.SignInAsync(context.Principal, context.Properties);
}
finally
{
_pendingRefreshTokenRequests.TryRemove(refreshToken.Value, out _);
}
}
}
}
public override async Task SigningOut(CookieSigningOutContext context)
{
// [removed about 15 lines of code to get and check tokens here...]
var response = await _service.RevokeTokenAsync(refreshToken.Value);
if (response.IsError)
{
_logger.LogWarning("Error revoking token: {error}", response.Error);
return;
}
}
Solution 5
The link you provided to https://github.com/mderriey/TokenRenewal/blob/master/src/MvcClient/Startup.cs really helped me!
The gotcha was in the AddOpenIdConnect section. The event you want is not the OnTokenValidated event. You should use the OnTokenResponseReceived event. It's at that point you'll have a proper access_token and refresh_token to add to the cookie.
mithunc
Updated on July 09, 2022Comments
-
mithunc almost 2 years
I've followed the Quickstart in the documentation page and have a working configuration of three services (IdentityServer, one Api service, one ASPNET MVC application) using IdentityServer for authentication.
Everything works perfectly (login, login, authorization, etc.) until after 1 hour when the access_token expires. At this point, the MVC application starts to receive (correctly) a 401 from the API service (since the token is expired). At that point, I know I should use the refresh_token to get a new access_token.
I was looking for a mechanism that automatically refreshed the access_token and stumbled upon this: https://github.com/mderriey/TokenRenewal/blob/master/src/MvcClient/Startup.cs (from this answer). I tried to use that but it didn't work (the
TokenEndpointResponsewas null even though the authentication was successful).I understand how to use a
refresh_tokento get a newaccess_token, but after I have it, how would I go inserting it back into the cookie so that future request have access to the new tokens?