Handle Refresh Token Using ASP.NET Core 2.0 And JSON Web Token

Introduction

In this article , you will learn how to deal with the refresh token when you use jwt (JSON Web Token) as your access_token.

Backgroud

Many people choose jwt as their access_token when the client sends a request to the Resource Server.

However, before the client sends a request to the Resource Server, the client needs to get the access_token from the Authorization Server. After receiving and storing the access_token, the client uses access_token to send a request to the Resource Server.

But as all we know, the expired time for a jwt is too short. And we do not require the users to pass their name and password once more! At this time, the refresh_token provides a vary convenient way that we can use to exchange a new access_token.

The normal way may be as per the following.

ASP.NET Core

I will use ASP.NET Core 2.0 to show how to do this work.

Requirement first

You need to install the SDK of .NET Core 2.0 preview and the VS 2017 preview.

Now, let's begin!

First of all, building a Resource Server

Creating an ASP.NET Core Web API project.

Edit the Program class to specify the url when we visit the API.

  1. public class Program  
  2. {  
  3.     public static void Main(string[] args)  
  4.     {  
  5.         BuildWebHost(args).Run();  
  6.     }  
  7.   
  8.     public static IWebHost BuildWebHost(string[] args) =>  
  9.         WebHost.CreateDefaultBuilder(args)  
  10.             .UseStartup<Startup>()  
  11.             .UseUrls("http://localhost:5002")  
  12.             .Build();  
  13. }  

Add a private method in Startup class which configures the jwt authorization. There are some differences when we use the lower version of .NET Core SDK.

  1. public void ConfigureJwtAuthService(IServiceCollection services)  
  2. {  
  3.     var audienceConfig = Configuration.GetSection("Audience");  
  4.     var symmetricKeyAsBase64 = audienceConfig["Secret"];  
  5.     var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);  
  6.     var signingKey = new SymmetricSecurityKey(keyByteArray);  
  7.   
  8.     var tokenValidationParameters = new TokenValidationParameters  
  9.     {  
  10.         // The signing key must match!  
  11.         ValidateIssuerSigningKey = true,  
  12.         IssuerSigningKey = signingKey,  
  13.   
  14.         // Validate the JWT Issuer (iss) claim  
  15.         ValidateIssuer = true,  
  16.         ValidIssuer = audienceConfig["Iss"],  
  17.   
  18.         // Validate the JWT Audience (aud) claim  
  19.         ValidateAudience = true,  
  20.         ValidAudience = audienceConfig["Aud"],  
  21.   
  22.         // Validate the token expiry  
  23.         ValidateLifetime = true,  
  24.   
  25.         ClockSkew = TimeSpan.Zero  
  26.     };  
  27.      
  28.     services.AddAuthentication(options =>  
  29.     {  
  30.         options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;  
  31.         options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;  
  32.     })  
  33.     .AddJwtBearerAuthentication(o =>  
  34.     {  
  35.         o.TokenValidationParameters = tokenValidationParameters;  
  36.     });  
  37. }  

And, we need to use this method in the ConfigureServices method.

  1. public void ConfigureServices(IServiceCollection services)  
  2. {  
  3.     //configure the jwt   
  4.     ConfigureJwtAuthService(services);  
  5.   
  6.     services.AddMvc();  
  7. }  

Do not forget touse the authentication in the Configure method.

  1. public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)  
  2. {  
  3.     loggerFactory.AddConsole(Configuration.GetSection("Logging"));  
  4.     loggerFactory.AddDebug();  
  5.   
  6.     //use the authentication  
  7.     app.UseAuthentication();  
  8.   
  9.     app.UseMvc();  
  10. }  

The last step of our Resource Server is to edit the ValueController so that we can use the authentication when we visit this API.

  1. [Route("api/[controller]")]  
  2. public class ValuesController : Controller  
  3. {  
  4.     // GET api/values/5  
  5.     [HttpGet("{id}")]  
  6.     [Authorize]  
  7.     public string Get(int id)  
  8.     {  
  9.         return "visit by jwt auth";  
  10.     }          
  11. }  

Turn to the Authentication Server

How to design the authentication?

Here is my point of view,

When the client uses the parameters to get an access_token , the client needs to pass the parameters in the querystring are as follow:

Parameter Value
grant_type the value must be password
client_id the client_id is assigned by manager
client_secret the client_secret is assigned by manager
username the name of the user
password the password of the user

 When the client use the parameters to refresh a expired access_token , the client need to pass the parameters in the querystring are as follow,

Parameter Value
grant_type the value must be refresh_token
client_id the client_id is assigned by manager
client_secret the client_secret is assigned by manager
refresh_token after authentication the server will return a refresh_token

Here is the implementation!

Create a new ASP.NET Core project and a new controller named TokenController.

  1. [Route("api/token")]  
  2. public class TokenController : Controller  
  3. {  
  4.     //some config in the appsettings.json  
  5.     private IOptions<Audience> _settings;  
  6.     //repository to handler the sqlite database  
  7.     private IRTokenRepository _repo;  
  8.   
  9.     public TokenController(IOptions<Audience> settings, IRTokenRepository repo)  
  10.     {  
  11.         this._settings = settings;  
  12.         this._repo = repo;  
  13.     }  
  14.   
  15.     [HttpGet("auth")]  
  16.     public IActionResult Auth([FromQuery]Parameters parameters)  
  17.     {  
  18.         if (parameters == null)  
  19.         {  
  20.             return Json(new ResponseData  
  21.             {  
  22.                 Code = "901",  
  23.                 Message = "null of parameters",  
  24.                 Data = null  
  25.             });  
  26.         }  
  27.   
  28.         if (parameters.grant_type == "password")  
  29.         {  
  30.             return Json(DoPassword(parameters));  
  31.         }  
  32.         else if (parameters.grant_type == "refresh_token")  
  33.         {  
  34.             return Json(DoRefreshToken(parameters));  
  35.         }  
  36.         else  
  37.         {  
  38.             return Json(new ResponseData  
  39.             {  
  40.                 Code = "904",  
  41.                 Message = "bad request",  
  42.                 Data = null  
  43.             });  
  44.         }  
  45.     }  
  46.       
  47.     //scenario 1 ï¼š get the access-token by username and password  
  48.     private ResponseData DoPassword(Parameters parameters)  
  49.     {  
  50.         //validate the client_id/client_secret/username/passwo  
  51.         var isValidated = UserInfo.GetAllUsers().Any(x => x.ClientId == parameters.client_id  
  52.                                 && x.ClientSecret == parameters.client_secret  
  53.                                 && x.UserName == parameters.username  
  54.                                 && x.Password == parameters.password);  
  55.   
  56.         if (!isValidated)  
  57.         {  
  58.             return new ResponseData  
  59.             {  
  60.                 Code = "902",  
  61.                 Message = "invalid user infomation",  
  62.                 Data = null  
  63.             };  
  64.         }  
  65.   
  66.         var refresh_token = Guid.NewGuid().ToString().Replace("-""");  
  67.   
  68.         var rToken = new RToken  
  69.         {  
  70.             ClientId = parameters.client_id,  
  71.             RefreshToken = refresh_token,  
  72.             Id = Guid.NewGuid().ToString(),  
  73.             IsStop = 0  
  74.         };  
  75.           
  76.         //store the refresh_token   
  77.         if (_repo.AddToken(rToken))  
  78.         {  
  79.             return new ResponseData  
  80.             {  
  81.                 Code = "999",  
  82.                 Message = "OK",  
  83.                 Data = GetJwt(parameters.client_id, refresh_token)  
  84.             };  
  85.         }  
  86.         else  
  87.         {  
  88.             return new ResponseData  
  89.             {  
  90.                 Code = "909",  
  91.                 Message = "can not add token to database",  
  92.                 Data = null  
  93.             };  
  94.         }  
  95.     }  
  96.   
  97.     //scenario 2 ï¼š get the access_token by refresh_token  
  98.     private ResponseData DoRefreshToken(Parameters parameters)  
  99.     {  
  100.         var token = _repo.GetToken(parameters.refresh_token, parameters.client_id);  
  101.   
  102.         if (token == null)  
  103.         {  
  104.             return new ResponseData  
  105.             {  
  106.                 Code = "905",  
  107.                 Message = "can not refresh token",  
  108.                 Data = null  
  109.             };  
  110.         }  
  111.   
  112.         if (token.IsStop == 1)  
  113.         {  
  114.             return new ResponseData  
  115.             {  
  116.                 Code = "906",  
  117.                 Message = "refresh token has expired",  
  118.                 Data = null  
  119.             };  
  120.         }  
  121.   
  122.         var refresh_token = Guid.NewGuid().ToString().Replace("-""");  
  123.   
  124.         token.IsStop = 1;  
  125.         //expire the old refresh_token and add a new refresh_token  
  126.         var updateFlag = _repo.ExpireToken(token);  
  127.   
  128.         var addFlag = _repo.AddToken(new RToken  
  129.         {  
  130.             ClientId = parameters.client_id,  
  131.             RefreshToken = refresh_token,  
  132.             Id = Guid.NewGuid().ToString(),  
  133.             IsStop = 0  
  134.         });  
  135.   
  136.         if (updateFlag && addFlag)  
  137.         {  
  138.             return new ResponseData  
  139.             {  
  140.                 Code = "999",  
  141.                 Message = "OK",  
  142.                 Data = GetJwt(parameters.client_id, refresh_token)  
  143.             };  
  144.         }  
  145.         else  
  146.         {  
  147.             return new ResponseData  
  148.             {  
  149.                 Code = "910",  
  150.                 Message = "can not expire token or a new token",  
  151.                 Data = null  
  152.             };  
  153.         }  
  154.     }  
  155.       
  156.     //get the jwt token   
  157.     private string GetJwt(string client_id, string refresh_token)  
  158.     {  
  159.         var now = DateTime.UtcNow;  
  160.   
  161.         var claims = new Claim[]  
  162.         {  
  163.             new Claim(JwtRegisteredClaimNames.Sub, client_id),  
  164.             new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),  
  165.             new Claim(JwtRegisteredClaimNames.Iat, now.ToUniversalTime().ToString(), ClaimValueTypes.Integer64)  
  166.         };  
  167.   
  168.         var symmetricKeyAsBase64 = _settings.Value.Secret;  
  169.         var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);  
  170.         var signingKey = new SymmetricSecurityKey(keyByteArray);  
  171.   
  172.         var jwt = new JwtSecurityToken(  
  173.             issuer: _settings.Value.Iss,  
  174.             audience: _settings.Value.Aud,  
  175.             claims: claims,  
  176.             notBefore: now,  
  177.             expires: now.Add(TimeSpan.FromMinutes(2)),  
  178.             signingCredentials: new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256));  
  179.         var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);  
  180.   
  181.         var response = new  
  182.         {  
  183.             access_token = encodedJwt,  
  184.             expires_in = (int)TimeSpan.FromMinutes(2).TotalSeconds,  
  185.             refresh_token = refresh_token,  
  186.         };  
  187.   
  188.         return JsonConvert.SerializeObject(response, new JsonSerializerSettings { Formatting = Formatting.Indented });  
  189.     }  
  190. }  

Both above two scenarios only use one action , because the parameters are similar.

When the grant_type is password ,we will create a refresh_token and store this refresh_token to the sqlite database. And return the jwt toekn to the client.

When the grant_type is refresh_token ,we will expire or delete the old refresh_token which belongs to this client_id and store a new refresh_toekn to the sqlite database. And return the new jwt toekn to the client.

Note

I use a GUID as my refresh_token , because GUID is more easier to generate and manager , you can use a more complex value as the refresh token.

At last , Create a console app to test the refresh token.

  1. class Program  
  2. {  
  3.     static void Main(string[] args)  
  4.     {  
  5.         HttpClient _client = new HttpClient();  
  6.           
  7.         _client.DefaultRequestHeaders.Clear();  
  8.   
  9.         Refresh(_client);  
  10.           
  11.         Console.Read();  
  12.     }  
  13.   
  14.     private static void Refresh(HttpClient _client)  
  15.     {  
  16.         var client_id = "100";  
  17.         var client_secret = "888";  
  18.         var username = "Member";  
  19.         var password = "123";  
  20.           
  21.         var asUrl = $"http://localhost:5001/api/token/auth?grant_type=password&client_id={client_id}&client_secret={client_secret}&username={username}&password={password}";  
  22.   
  23.         Console.WriteLine("begin authorizing:");  
  24.   
  25.         HttpResponseMessage asMsg = _client.GetAsync(asUrl).Result;  
  26.           
  27.         string result = asMsg.Content.ReadAsStringAsync().Result;  
  28.   
  29.         var responseData = JsonConvert.DeserializeObject<ResponseData>(result);  
  30.   
  31.         if (responseData.Code != "999")  
  32.         {  
  33.             Console.WriteLine("authorizing fail");  
  34.             return;  
  35.         }  
  36.   
  37.         var token = JsonConvert.DeserializeObject<Token>(responseData.Data);  
  38.   
  39.         Console.WriteLine("authorizing successfully");              
  40.         Console.WriteLine($"the response of authorizing {result}");              
  41.   
  42.         Console.WriteLine("sleep 2min to make the token expire!!!");  
  43.         System.Threading.Thread.Sleep(TimeSpan.FromMinutes(2));  
  44.   
  45.         Console.WriteLine("begin to request the resouce server");  
  46.   
  47.         var rsUrl = "http://localhost:5002/api/values/1";  
  48.         _client.DefaultRequestHeaders.Add("Authorization""Bearer " + token.access_token);  
  49.         HttpResponseMessage rsMsg = _client.GetAsync(rsUrl).Result;  
  50.   
  51.   
  52.         Console.WriteLine("result of requesting the resouce server");  
  53.         Console.WriteLine(rsMsg.StatusCode);  
  54.         Console.WriteLine(rsMsg.Content.ReadAsStringAsync().Result);  
  55.   
  56.         //refresh the token  
  57.         if (rsMsg.StatusCode == HttpStatusCode.Unauthorized)  
  58.         {  
  59.             Console.WriteLine("begin to refresh token");  
  60.   
  61.             var refresh_token = token.refresh_token;  
  62.             asUrl = $"http://localhost:5001/api/token/auth?grant_type=refresh_token&client_id={client_id}&client_secret={client_secret}&refresh_token={refresh_token}";  
  63.             HttpResponseMessage asMsgNew = _client.GetAsync(asUrl).Result;  
  64.             string resultNew = asMsgNew.Content.ReadAsStringAsync().Result;  
  65.   
  66.             var responseDataNew = JsonConvert.DeserializeObject<ResponseData>(resultNew);  
  67.   
  68.             if (responseDataNew.Code != "999")  
  69.             {  
  70.                 Console.WriteLine("refresh token fail");  
  71.                 return;  
  72.             }  
  73.   
  74.             Token tokenNew = JsonConvert.DeserializeObject<Token>(responseDataNew.Data);  
  75.   
  76.             Console.WriteLine("refresh token successful");  
  77.             Console.WriteLine(asMsg.StatusCode);  
  78.             Console.WriteLine($"the response of refresh token {resultNew}");  
  79.   
  80.             Console.WriteLine("requset resource server again");  
  81.   
  82.             _client.DefaultRequestHeaders.Clear();  
  83.             _client.DefaultRequestHeaders.Add("Authorization""Bearer " + tokenNew.access_token);  
  84.             HttpResponseMessage rsMsgNew = _client.GetAsync("http://localhost:5002/api/values/1").Result;  
  85.   
  86.   
  87.             Console.WriteLine("the response of resource server");  
  88.             Console.WriteLine(rsMsgNew.StatusCode);  
  89.             Console.WriteLine(rsMsgNew.Content.ReadAsStringAsync().Result);  
  90.         }  
  91.     }  
  92. }  

We should pay attention to the request of the Resource Server!

We must add a HTTP header when we send a HTTP request : `Authorization:Bearer token`

Now , using the dotnet CLI command to run our three projects.

Here is the screenshot of the runninng result.

ASP.NET Core

Note

  • In the console app, I do not store the access_token and the refresh_token, I just used them once . You should store them in your project ,such as the web app, you can store them in localstorage.
  • When the access_token is expired , the client should remove the expired access_toekn and because the short time will cause the token expired , we do not need to worry about the leakage of the token !

Summary

This article introduced an easy way to handle the refresh_token when you use jwt. Hope this will help you to understand how to deal with the tokens.