Refresh Token - NeoSOFT-Technologies/rest-dot-net-core GitHub Wiki
Description
Refresh tokens are credentials that can be used to acquire new access tokens. When access tokens expire, we can use refresh tokens to get a new access token from the authentication component. The lifetime of a refresh token is usually set much longer compared to the lifetime of an access token. Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers.
Now, we are going to introduce the refresh token to our authentication workflow:
- First, the client authenticates with the authentication component by providing the credentials.
- Then, the authentication component issues the access token and the refresh token.
- After that, the client requests the resource endpoints for a protected resource by providing the access token.
- The resource endpoint validates the access token and provides a protected resource.
- Steps 3 & 4 keeps on repeating until the access token expires.
- Once the access token expires, the client requests a new access token by providing the refresh token.
- The authentication component issues a new access token and refresh token.
- Steps 3 through 7 keeps on repeating until the refresh token expires.
- Once the refresh token expires, the client needs to authenticate with the authentication server once again and the flow repeats from step 1.
NuGet Packages
We need to install Microsoft.AspNetCore.Authentication.JwtBearer and System.IdentityModel.Tokens.Jwt packages from NuGet Package Manager.
Code Snippet
First create a model class for RefreshToken at location Infrastructure/ProjetName.Identity/Models to create a RefreshToken Table in database as below,
public class RefreshToken
{
public string Token { get; set; }
public DateTime Expires { get; set; }
public bool IsExpired => DateTime.UtcNow >= Expires;
public DateTime Created { get; set; }
public DateTime? Revoked { get; set; }
public bool IsActive => Revoked == null && !IsExpired;
}
Then creata a list of type RefreshToken in ApplicationUser class,
public List<RefreshToken> RefreshTokens { get; set; }
Run below commands in Package manager console,
add-migration initial -Context IdentityDbContext
update-database -Context IdentityDbContext
Update the AuthenticationResponse class as below,
public class AuthenticationResponse
{
public string Message { get; set; }
public bool IsAuthenticated { get; set; }
public string Id { get; set; }
public string UserName { get; set; }
public string Email { get; set; }
public string Token { get; set; }
public string RefreshToken { get; set; }
public DateTime? RefreshTokenExpiration { get; set; }
}
Then create model classes for RefreshTokenRequest and RefreshTokenResponse at location Core/ProjetName.Application/Models as below,
public class RefreshTokenRequest
{
public string Token { get; set; }
}
public class RefreshTokenResponse
{
public string Message { get; set; }
public bool IsAuthenticated { get; set; }
public string Id { get; set; }
public string UserName { get; set; }
public string Email { get; set; }
public string Token { get; set; }
public string RefreshToken { get; set; }
public DateTime? RefreshTokenExpiration { get; set; }
}
Now, update authentication service interface named IAuthenticationService and implement that interface in AuthenticationService service class as below,
public interface IAuthenticationService
{
Task<RefreshTokenResponse> RefreshTokenAsync(RefreshTokenRequest request);
}
Note : AuthenticateAsync method in AuthenticationService class got updated.
public class AuthenticationService: IAuthenticationService
{
private readonly UserManager<ApplicationUser> _userManager;
private readonly SignInManager<ApplicationUser> _signInManager;
private readonly JwtSettings _jwtSettings;
private readonly IdentityDbContext _context;
public AuthenticationService(UserManager<ApplicationUser> userManager,
IOptions<JwtSettings> jwtSettings,
SignInManager<ApplicationUser> signInManager,
IdentityDbContext context)
{
_userManager = userManager;
_jwtSettings = jwtSettings.Value;
_signInManager = signInManager;
_context = context;
}
public async Task<AuthenticationResponse> AuthenticateAsync(AuthenticationRequest request)
{
var user = await _userManager.FindByEmailAsync(request.Email);
AuthenticationResponse response = new AuthenticationResponse();
if (user == null)
{
response.IsAuthenticated = false;
response.Message = $"No Accounts Registered with {request.Email}.";
return response;
}
var result = await _signInManager.PasswordSignInAsync(user.UserName, request.Password, false, lockoutOnFailure: false);
if (!result.Succeeded)
{
throw new Exception($"Credentials for '{request.Email} aren't valid'.");
}
JwtSecurityToken jwtSecurityToken = await GenerateToken(user);
if (user.RefreshTokens.Any(a => a.IsActive))
{
var activeRefreshToken = user.RefreshTokens.Where(a => a.IsActive == true).FirstOrDefault();
response.RefreshToken = activeRefreshToken.Token;
response.RefreshTokenExpiration = activeRefreshToken.Expires;
}
else
{
var refreshToken = GenerateRefreshToken();
response.RefreshToken = refreshToken.Token;
response.RefreshTokenExpiration = refreshToken.Expires;
user.RefreshTokens.Add(refreshToken);
_context.Update(user);
_context.SaveChanges();
}
response.IsAuthenticated = true;
response.Id = user.Id;
response.Token = new JwtSecurityTokenHandler().WriteToken(jwtSecurityToken);
response.Email = user.Email;
response.UserName = user.UserName;
return response;
}
private RefreshToken GenerateRefreshToken()
{
var randomNumber = new byte[32];
using (var generator = new RNGCryptoServiceProvider())
{
generator.GetBytes(randomNumber);
return new RefreshToken
{
Token = Convert.ToBase64String(randomNumber),
Expires = DateTime.UtcNow.AddDays(10),
Created = DateTime.UtcNow
};
}
}
public async Task<RefreshTokenResponse> RefreshTokenAsync(RefreshTokenRequest request)
{
var response = new RefreshTokenResponse();
var user = _context.Users.SingleOrDefault(u => u.RefreshTokens.Any(t => t.Token == request.Token));
if (user == null)
{
response.IsAuthenticated = false;
response.Message = $"Token did not match any users.";
return response;
}
var refreshToken = user.RefreshTokens.Single(x => x.Token == request.Token);
if (!refreshToken.IsActive)
{
response.IsAuthenticated = false;
response.Message = $"Token Not Active.";
return response;
}
//Revoke Current Refresh Token
refreshToken.Revoked = DateTime.UtcNow;
//Generate new Refresh Token and save to Database
var newRefreshToken = GenerateRefreshToken();
user.RefreshTokens.Add(newRefreshToken);
_context.Update(user);
await _context.SaveChangesAsync();
//Generates new jwt
response.IsAuthenticated = true;
JwtSecurityToken jwtSecurityToken = await GenerateToken(user);
response.Token = new JwtSecurityTokenHandler().WriteToken(jwtSecurityToken);
response.Email = user.Email;
response.UserName = user.UserName;
response.RefreshToken = newRefreshToken.Token;
response.RefreshTokenExpiration = newRefreshToken.Expires;
return response;
}
}
Demo
Demo video to get the clear result view of above implemented module.
