Base solution for your next web application
Ends in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

Refresh token asp.net core implementation #8261


User avatar
0
antonis created

How is refresh token implemented in asp.net core server?


8 Answer(s)
  • User Avatar
    0
    aaron created
    Support Team

    You have the source code.

    You can also take a look at the PR: aspnetzero/aspnet-zero-core#2561

  • User Avatar
    0
    antonis created

    I can see that once the user is successfully authenticated, a refresh token is returned to angular client along with the access token. When an access token expires tokenAuth/RefreshToken is called and a new access token is issued if refresh token provided is valid. What I cannot find is when a refresh token expires how does it work ?

    Thanks

  • User Avatar
    0
    aaron created
    Support Team

    Do you mean on the client side?

  • User Avatar
    0
    antonis created

    I am trying to understand the auth flow here with access token and refresh tkmw

  • User Avatar
    0
    aaron created
    Support Team

    On the client side, the auth flow is briefly described in PR aspnetzero/aspnet-zero-core#2777:

    If the user selects "Remember me", refresh token will be stored. Then if any request gets 401 AbpHttpInterceptor :

    • will block all request,
    • store them in BehaviorSubject
    • try to get access token
    • if it success, rehandle all requests.
    • otherwise go login

    You can refer to the source code in src/abpHttpInterceptor.ts.

  • User Avatar
    0
    antonis created

    But this is not secure. If one can manage to steal refresh token can he be always authenticated.

  • User Avatar
    0
    ryancyq created
    Support Team

    Hi,

    since cookie is stored in the browser/client side, if one can steal the cookie from the browser, doesn't it mean the client's machine has already been compromised?

    in that case, it is commonly handled by revoking all the login sessions of the user and acess/refresh token will not be able to authenticated again.

  • User Avatar
    0
    ismcagdas created
    Support Team

    This issue is closed because of no recent activity. Please open a new issue if you are still having this problem.