c# - AspNet.Security.OpenIdConnect.Server. Refresh tokens

Question

As far as I know ASOS supports refresh tokens out of the box. To get refresh token I need to add offline_access scope to my token request. But where are they stored? How can I change expiration date of the token or delete it? How can I determine for which user refresh token is created?

Answer 1

But where are they stored?

By default, they are stored nowhere: they are self-contained. As long as the encryption keys used to protect the refresh tokens are still in the ASP.NET Data Protection key ring, they can be decrypted by ASOS and used to issue new access tokens.

---

How can I change expiration date of the token?

The default expiration date can be set globally from the options, using the RefreshTokenLifetime property. If you don't provide your own lifetime, they are valid for 14 days.

Note that sliding expiration is also enabled by default, which means you get a new refresh token (valid for 14 days) each time you make a new grant_type=refresh_token request. You can disable sliding expiration by setting UseSlidingExpiration to false.

---

... or delete it?

Since refresh tokens are self-contained, you can't delete them. You could of course consider using custom tokens (like unique strings corresponding to an entry in a database) by overriding the SerializeRefreshToken and DeserializeRefreshToken events, but the recommended approach is to simply treat them as invalid when receiving a refresh token request.

For that, you can override the HandleTokenRequest event and call context.Reject() if you consider that a refresh_token was revoked and cannot be used to issue new tokens.

---

How can I determine for which user refresh token is created?

Refresh tokens contain all the claims you add when creating the original authentication ticket, so if you add a sub claim corresponding to the user identifier, you can use it to retrieve the user profile from the database.