Encrypting refresh token before storing in database via IdentityServer[.EntityFramework]

Question

Is there any way to encrypt the refresh tokens before they are stored in the database when using IdentityServer/IdentityServer.EntityFramework?

Are they already encrypted?

score 1 · Answer 1 · edited Jan 15 '20 at 05:39

As you can see in source code, default grant storage stores hashed key.

protected virtual async Task StoreItemAsync(string key, T item, string clientId, string subjectId, DateTime created, DateTime? expiration)
        {
            key = GetHashedKey(key);

            var json = Serializer.Serialize(item);

            var grant = new PersistedGrant
            {
                Key = key,
                Type = GrantType,
                ClientId = clientId,
                SubjectId = subjectId,
                CreationTime = created,
                Expiration = expiration,
                Data = json
            };

            await Store.StoreAsync(grant);

        }

If you need encryption, you should write your own implememtation.

The key value is what the client passes along with the client id/secret to use the refresh token grant, correct? If all of that is needed is there any real reason to encrypt this value? — Ryan Mendoza, Aug 07 '18 at 14:35
Yes, this might be refresh_token or any other grant, because `DefaultGrantStore` is generic class. This is hashed by default like storing password hash in database(imho) — adem caglin, Aug 08 '18 at 07:22

Encrypting refresh token before storing in database via IdentityServer[.EntityFramework]

1 Answers1