0

I am using microsoft OWIN to generate access and refresh token at first login.i knew that refresh token is used to issue new access token .but my question is

1.If application is idle and access token is about to expire do we need to generate new access token?if yes then application will never timeout.

2.If we need to generate new access token do we need to request manually only for token or while the any API method is consumed during the access token period we need to generate a new access token?

I have been referring many sites on reshing tokens but everyone has one answer that when access token is about to expire we have to use refresh token to get new access token.its an obvious answer.if we continue to refresh without verifying Application idleness then application will never reach timeout condition.

I am new to this concept so i would request you all to help me out in knowing actual security standards to use refresh token.

Thank you in advance.

Siba Prasad Dalai
  • 1
  • The simple solution is to wait for an API request to fail due to the access token being expired, and then refresh the token and retry the request. You can encapsulate this functionality into a custom HttpClientHandler for HttpClient, for example. – ProgrammingLlama May 04 '18 at 06:52
  • Hi John, thank u for your valuable reply.i am thinking that if an access token expires i would ask him to login again,so a new access token is generated.but if i go with this then there is no use of refresh token.practically i am not sure whether to allow an application to continue the session after expiry.if possible can you please elaborate on this. – Siba Prasad Dalai May 04 '18 at 07:07
  • The way we approached this is as follows: If the access token fails, try to refresh it. If refreshing it fails, ask the user to login again. – ProgrammingLlama May 04 '18 at 07:22
  • Something like [this](https://stackoverflow.com/questions/49304326/refresh-token-using-static-httpclient) – ProgrammingLlama May 04 '18 at 07:23

0 Answers0