I've been playing around with Thinktecture's identity server and now I have some problems trying to reach the refresh token endpoint.
What I have is few clients configured like this:
Authorization code flow client:
new Client
{
ClientId = "tripgalleryauthcode",
ClientName = "Trip Gallery (Authorization Code)",
Flow = Flows.AuthorizationCode,
AllowAccessToAllScopes = true,
RequireConsent = false,
RedirectUris = new List<string>
{
"redirecturi"
},
ClientSecrets = new List<Secret>()
{
new Secret("somesecret".Sha256())
}
}
Hybrid flow client:
new Client
{
ClientId = "tripgalleryhybrid",
ClientName = "Tripgalleryhybrid (Hybrid)",
Flow = Flows.Hybrid,
AllowAccessToAllScopes = true,
RequireConsent = false,
IdentityTokenLifetime = 10,
AccessTokenLifetime = 120,
// redirect = URI of the MVC application
RedirectUris = new List<string>
{
"redirecturi"
},
// Needed when requesting refresh tokens
ClientSecrets = new List<Secret>()
{
new Secret("somesecret".Sha256())
},
PostLogoutRedirectUris = new List<string>()
{
"postlogouturi"
}
}
What I do is, I have ASP.NET MVC client which uses the hybrid flow. After the authentication I receive access token, refresh token and some other stuff.
What I am trying to do is to test the refresh token endpoint. The way I prepare my request is as follows:
I make a POST request to: /identity/connect/revocation In the headers of the request I have:
- Content-Type: application/x-www-form-urlencoded
- Authorization: Basic dHJpcGdhbGxlcnlhdXRoY29kZTpteXJhbmRvbWNsaWVudHNlY3JldA==(This is base64 encoded clientid:clientsecret that are my Authorization Code ones)
In the request body I have: token=0a24f80dcc97a56ede0e7c04563a3493&token_type_hint=refresh_token
The token is the one that came after my authentication trough the hybrid client.
When I fire the request it returns Http 200. But no content is returned back. When I go the Identity Server logs this is what I see:
SnapshotHelper::TakeSnapshotTimerCallback
SnapshotHelper::TakeSnapshotInternal - no new files in CodeGen
w3wp.exe Warning: 0 : 2016-11-13 13:54:11.557 +00:00 [Warning] AuthorizationCodeStore not configured - falling back to InMemory
w3wp.exe Warning: 0 : 2016-11-13 13:54:11.620 +00:00 [Warning] TokenHandleStore not configured - falling back to InMemory
w3wp.exe Warning: 0 : 2016-11-13 13:54:11.620 +00:00 [Warning] ConsentStore not configured - falling back to InMemory
w3wp.exe Warning: 0 : 2016-11-13 13:54:11.620 +00:00 [Warning] RefreshTokenStore not configured - falling back to InMemory
w3wp.exe Information: 0 : 2016-11-13 13:54:12.356 +00:00 [Information] Start token revocation request
w3wp.exe Information: 0 : 2016-11-13 13:54:12.401 +00:00 [Information] Client secret id found: "tripgalleryauthcode"
w3wp.exe Information: 0 : 2016-11-13 13:54:12.401 +00:00 [Information] Client validation success
w3wp.exe Information: 0 : 2016-11-13 13:54:12.401 +00:00 [Information] End token revocation request
What I really expected to get at least new access and refresh tokens but nothing. I guess I am really missing something in the configuration of my clients so I would be very happy if you could help me.
EDIT:
I changed the endpoint to: /identity/connect/token and also changed the request body to: grant_type=refresh_token&token=635c7cbcfa1c0417b6d574ade388c0d8&token_type_hint=refresh_token but still no success. Now my Identity server log says:
SnapshotHelper::TakeSnapshotTimerCallback
SnapshotHelper::TakeSnapshotInternal - no new files in CodeGen
SnapshotHelper::TakeSnapshot time since last: 00:19:59.9992231
w3wp.exe Information: 0 : 2016-11-13 20:40:33.406 +00:00 [Information] Start token request
w3wp.exe Information: 0 : 2016-11-13 20:40:33.406 +00:00 [Information] Client secret id found: "tripgalleryauthcode"
w3wp.exe Information: 0 : 2016-11-13 20:40:33.406 +00:00 [Information] Client validation success
w3wp.exe Information: 0 : 2016-11-13 20:40:33.406 +00:00 [Information] Start token request validation
w3wp.exe Information: 0 : 2016-11-13 20:40:33.406 +00:00 [Information] Start validation of refresh token request
w3wp.exe Error: 0 : 2016-11-13 20:40:33.406 +00:00 [Error] "Refresh token is missing"
"{
\"ClientId\": \"tripgalleryauthcode\",
\"ClientName\": \"Trip Gallery (Authorization Code)\",
\"GrantType\": \"refresh_token\",
\"Raw\": {
\"grant_type\": \"refresh_token\",
\"token\": \"635c7cbcfa1c0417b6d574ade388c0d8\",
\"token_type_hint\": \"refresh_token\"
}
}"
w3wp.exe Information: 0 : 2016-11-13 20:40:33.406 +00:00 [Information] End token request
w3wp.exe Information: 0 : 2016-11-13 20:40:33.406 +00:00 [Information] Returning error: invalid_request
SECOND EDIT:
Based on the documentation posted here: Token Endpoint and what's inside of it here: TokenRequest and many more resources related to that I came to this request:
which I believe is the correct one. Unfortunatelly I am still getting HTTP 400 from by identity server with an error that says: error=invalid_grant. This makes me think that most likely I have to make some more configuration on my client. In some of the examples on the internet I can see the usage of: AbsoluteRefreshTokenLifetime, SlidingRefreshTokenLifetime, RefreshTokenUsage, RefreshTokenExpiration when configuring the client. Can you please give me at least a direction to dig into?
SOLUTION:
What worked for me was to add these options to the client: // refresh token options
AccessTokenType = AccessTokenType.Jwt,
AccessTokenLifetime = 3600,
RefreshTokenUsage = TokenUsage.ReUse,
RefreshTokenExpiration = TokenExpiration.Absolute,
AbsoluteRefreshTokenLifetime = 1296000
