Still logged in MVC site, but can’t call web API

by

There are two types of authentication, cookie and bearer.

Where the cookie keeps you logged in, the bearer token can’t. Because the bearer token is set to expire at some point, without allowing you to change the lifetime.

The only way to access the resource (api) after the access token expires is to either let the user login again or request a new access token using a refresh token, without needing user interaction.

You’ve already configured it:

options.Scope.Add("offline_access");

On each login the request will at least contain a refresh token. Store it at a safe place and use it when needed. By default it is set to one time use only.

You can use something like this code to renew the token (as you are not actually refreshing it, but rather replacing it). You’ll need to include the ‘IdentityModel’ NuGet package, as seen in the samples from IdentityServer.

private async Task<TokenResponse> RenewTokensAsync()
{
    // Initialize the token endpoint:
    var client = _httpClientFactory.CreateClient();
    var disco = await client.GetDiscoveryDocumentAsync("http://localhost:5000");

    if (disco.IsError) throw new Exception(disco.Error);

    // Read the stored refresh token:
    var rt = await HttpContext.GetTokenAsync("refresh_token");
    var tokenClient = _httpClientFactory.CreateClient();

    // Request a new access token:
    var tokenResult = await tokenClient.RequestRefreshTokenAsync(new RefreshTokenRequest
    {
        Address = disco.TokenEndpoint,

        ClientId = "mvc",
        ClientSecret = "secret",
        RefreshToken = rt
    });

    if (!tokenResult.IsError)
    {
        var old_id_token = await HttpContext.GetTokenAsync("id_token");
        var new_access_token = tokenResult.AccessToken;
        var new_refresh_token = tokenResult.RefreshToken;
        var expiresAt = DateTime.UtcNow + TimeSpan.FromSeconds(tokenResult.ExpiresIn);

        // Save the information in the cookie
        var info = await HttpContext.AuthenticateAsync("Cookies");

        info.Properties.UpdateTokenValue("refresh_token", new_refresh_token);
        info.Properties.UpdateTokenValue("access_token", new_access_token);
        info.Properties.UpdateTokenValue("expires_at", expiresAt.ToString("o", CultureInfo.InvariantCulture));

        await HttpContext.SignInAsync("Cookies", info.Principal, info.Properties);
        return tokenResult;
    }
    return null;
}

By default the refresh token usage is configured as one time use. Please note that when storing the new refresh token fails and you should lose it, then the only way to request a new refresh token is to force the user to login again.

Also note that the refresh token can expire.

And taking it one step back, you’ll need to use this when the access token expired or is about to expire:

var accessToken = await HttpContext.GetTokenAsync("access_token");

var tokenHandler = new JwtSecurityTokenHandler();

var jwtSecurityToken = tokenHandler.ReadJwtToken(accessToken);

// Depending on the lifetime of the access token.
// This is just an example. An access token may be valid
// for less than one minute.
if (jwtSecurityToken.ValidTo < DateTime.UtcNow.AddMinutes(5))
{
    var responseToken = await RenewTokensAsync();
    if (responseToken == null)
    {
        throw new Exception("Error");
    }
    accessToken = responseToken.AccessToken;
}

// Proceed, accessToken contains a valid token.

More Related Contents:

  1. How to return a specific status code and no contents from Controller?
  2. Creating a proxy to another web api with Asp.net core
  3. Async provider in .NET Core DI
  4. How to implement a “pure” ASP.NET Core Web API by using AddMvcCore()
  5. How do you create a custom AuthorizeAttribute in ASP.NET Core?
  6. Increase upload file size in Asp.Net core
  7. Use multiple JWT Bearer Authentication
  8. How to read ASP.NET Core Response.Body?
  9. Timeouts with long running ASP.NET MVC Core Controller HTTPPost Method
  10. How to upload files in ASP.NET Core?
  11. How to get a list of all routes in ASP.NET Core?
  12. How to update values into appsetting.json?
  13. IdentityServer4 Role Based Authorization for Web API with ASP.NET Core Identity
  14. How do I access Configuration in any class in ASP.NET Core?
  15. Enable OPTIONS header for CORS on .NET Core Web API
  16. How to use a controller in another assembly in ASP.NET Core MVC 2.0?
  17. Uploading and Downloading large files in ASP.NET Core 3.1?
  18. Unable to create migrations after upgrading to ASP.NET Core 2.0
  19. ASP.NET Core JWT mapping role claims to ClaimsIdentity
  20. How to get the Development/Staging/production Hosting Environment in ConfigureServices
  21. How can I call a SQL Stored Procedure using EntityFramework 7 and Asp.Net 5
  22. Convert IHtmlContent/TagBuilder to string in C#
  23. Dependency Injection error: Unable to resolve service for type while attempting to activate, while class is registered
  24. Unable to resolve service for type while attempting to activate
  25. How to get user Browser name ( user-agent ) in Asp.net Core?
  26. Dependency injection, inject with parameters
  27. Hosting ASP.NET Core API in a Windows Forms Application
  28. How do I resolve the issue the request matched multiple endpoints in .Net Core Web Api
  29. Injection of IUrlHelper in ASP.NET Core
  30. Dealing with large file uploads on ASP.NET Core 1.0

Leave a Comment