How to handle expired access token in asp.net core using refresh token with OpenId Connect

by

It seems there is no programming in the openidconnect authentication for asp.net core to manage the access_token on the server after received.

I found that I can intercept the cookie validation event and check if the access token has expired. If so, make a manual HTTP call to the token endpoint with the grant_type=refresh_token.

By calling context.ShouldRenew = true; this will cause the cookie to be updated and sent back to the client in the response.

I have provided the basis of what I have done and will work to update this answer once all work as been resolved.

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AutomaticAuthenticate = true,
            AutomaticChallenge = true,
            AuthenticationScheme = "Cookies",
            ExpireTimeSpan = new TimeSpan(0, 0, 20),
            SlidingExpiration = false,
            CookieName = "WebAuth",
            Events = new CookieAuthenticationEvents()
            {
                OnValidatePrincipal = context =>
                {
                    if (context.Properties.Items.ContainsKey(".Token.expires_at"))
                    {
                        var expire = DateTime.Parse(context.Properties.Items[".Token.expires_at"]);
                        if (expire > DateTime.Now) //TODO:change to check expires in next 5 mintues.
                        {
                            logger.Warn($"Access token has expired, user: {context.HttpContext.User.Identity.Name}");

                            //TODO: send refresh token to ASOS. Update tokens in context.Properties.Items
                            //context.Properties.Items["Token.access_token"] = newToken;
                            context.ShouldRenew = true;
                        }
                    }
                    return Task.FromResult(0);
                }
            }
        });

More Related Contents:

  1. Cross-Domain Cookies
  2. Cookies on localhost with explicit domain
  3. What are allowed characters in cookies?
  4. Fetch API with Cookie
  5. Clear cookies on browser close
  6. Safari doesn’t set Cookie but IE / FF does
  7. What does the dot prefix in the cookie domain mean?
  8. Setting a cookie using JavaFX’s WebEngine/WebView
  9. How does Facebook set cross-domain cookies for iFrames on canvas pages?
  10. Why won’t asp.net create cookies in localhost?
  11. What is the maximum size of a cookie, and how many can be stored in a browser for each web site?
  12. .NET Core Identity Server 4 Authentication VS Identity Authentication
  13. How cookies work?
  14. Can two different browser share one cookie?
  15. Send cookies with curl
  16. IE8 losing session cookies in popup windows
  17. how to disable cookies using webdriver for Chrome and FireFox JAVA
  18. Cookie path and its accessibility to subfolder pages
  19. Same-Site flag for session cookie in Spring Security
  20. How do I access HttpContext in Server-side Blazor?
  21. Does every web request send the browser cookies?
  22. How to manually decrypt an ASP.NET Core Authentication cookie?
  23. Sending cookies with postman
  24. How to add a cookie to the cookiejar in python requests library
  25. Yahoo Finance Historical data downloader url is not working
  26. When does a cookie with expiration time ‘At end of session’ expire?
  27. What is the best way to implement “remember me” for a website? [closed]
  28. Chrome doesn’t delete session cookies
  29. Where are an UIWebView’s cookies stored?
  30. Update-Database command is not working in ASP.Net Core / Entity Framework Core because object in database already exists

Leave a Comment