0

From the source code sandbox Webserver, refresh tokens was done like this:

RefreshTokenProvider = new AuthenticationTokenProvider
{
    OnCreate = CreateRefreshToken,
    OnReceive = ReceiveRefreshToken,
}

private void CreateRefreshToken(AuthenticationTokenCreateContext context)
{
    context.SetToken(context.SerializeTicket());
}

private void ReceiveRefreshToken(AuthenticationTokenReceiveContext context)
{
    context.DeserializeTicket(context.Token);
}

This create refresh tokens that have the same lifetime as the access tokens.

What would be appropriate lifetime for a refresh token and what would be the suggested way of telling that to the OAuthAuthorizationServer. Theres no options for it, and I am wondering if I should just change it on the ticket in the context of above createRefreshToken.

Poul K. Sørensen
  • 16,950
  • 21
  • 126
  • 283

1 Answers1

3

What would be appropriate lifetime for a refresh token

Its all dependent on use-case. RefreshToken lifetime can be based on the application requirement. Google oAuth has "Refresh tokens are valid until the user revokes access".

what would be the suggested way of telling that to the OAuthAuthorizationServer.

Yes, you are right for the approach. you can set it to Tiken in the context.

private void CreateRefreshToken(AuthenticationTokenCreateContext context)
{
    context.Ticket.Properties.ExpiresUtc = new DateTimeOffset(DateTime.Now.AddMonths(2));
    context.SetToken(context.SerializeTicket());
}
jd4u
  • 5,789
  • 2
  • 28
  • 28
  • Okay. thanks. And if I wanted to do like google to have it infinite until revoked. I would just add the logic into the CreateRefreshToken ? – Poul K. Sørensen Oct 17 '13 at 11:29
  • Yes, you need to maintain those token table to verify its lifetime attach each to a user and allow the user to revoke. You can keep the revoked record or just remove it at the revocation. – jd4u Oct 17 '13 at 11:50