I'm learning OAuth2 via this tutorial, then I found refresh token's expire time is the same as access token, is this correct?
[OAuth2 authorization server]refresh token's expire time need different with access token?
1.5k Views Asked by Rwing At
2
There are 2 best solutions below
0
Hans Z.
On
In general that does not make much sense: the refresh_token exists to allow the Client to get a new access_token when the current one expires. If the refresh_token has also expired by then, there's nothing that a Client can do with it so it is useless.
There's one (more or less) edge case in which this is useful though: when the Resource Server actively rejects the access_token before it expires, the Client can now go back to the Authorization Server to get a new access_token.
Related Questions in ASP.NET
- Implementing Azure AD B2C Authentication in .NET 8 Blazor Project (RenderMode: InteractiveAuto)
- Azure Application Insights Not Displaying Custom Logs for Azure Functions with .NET 8
- IIS Rewrite Module exclude bots but allow GoogleBot
- Angular 16 sending null values to API
- I am the domain admin, newbie, how do I connect youtube.com on my domain?
- Dropdown list showing SQLServer2005SQLBrowserUser$DONSERVER instead of Active Directory group name in ASP.NET MVC C#
- ASP.NET Identity, Losing Ability to Login until Application Pool Recycles
- How to unprotect ASP.NET FormAuthentication cookie
- How does it work using ASP.NET FormAuthentication
- What is the purpose of a completely standalone 'this'?
- Is there a way to read .csproj PropertyGroup variable in c#
- MSBuild trying to copy different dll with similar name into project sporadically
- Minimizing IdentityServer4 Round Trips in Microservice Architecture with Ocelot
- Azure AD guest account in web app authentication user claims data
- Receiving 400 bad request on post when customer auth handler is used
Related Questions in OAUTH
- Lambda endpoint for the Google OAuth callback does not recieve the access_token
- Miro oauth api throws error 401 Invalid authorization code
- Error from Identity Provider - OIDC Scope Error
- get refresh token in axios interceptor
- How would single sign-on work for my multi-tenant application?
- How to get OAuth2 Access token from Postman
- How to use Oauth in order to log‑in on .googleapis.com on almost any arbitrary endpoints domains from the web browser?
- How to fix common 500 internal server error when use POST method on NEXTJS
- How to use a different account for OAuth with dbt-core and profiles.yml?
- ASP.NET Core Google external login issue
- Implementing IDP Initiated Flow Using OIDC
- Migration of UseOAuthAuthorizationServer from .Net Framework to .Net8
- Django Allauth Bad Request Error, Error Retrieving Access Token: Invalid Grant
- angular oauth 2 oidc doesn't work with github idp
- Handling oauth in flutter app without browser
Related Questions in OAUTH-2.0
- discord.py - Oauth2 - join user to guild
- Implementing Incremental consent when using both application and delegated permissions
- Verifying Google Identity OAuth2 token with Ruby
- spring security error Caused by: org.attoparser.ParseException: Exception evaluating SpringEL expression: s
- Encountering HttpError 403 and 500 When Using Google Sheets API with Service Account
- get refresh token in axios interceptor
- spring error exception with oauth2 and securityconfig
- What oauth 2.0 endpoint is used to validate a bearer token
- Not enough permissions to access API request https://api.linkedin.com/v2/me
- How to specify the client ID and redirect URI in Swagger OAuth2.0 configuration for Swagger UI?
- OAuth2 PHP change invalid_token response
- Call Databricks API from an ASP.NET Core web application
- Secure to share Access Token over public API using CORs?
- How to use Oauth in order to log‑in on .googleapis.com on almost any arbitrary endpoints domains from the web browser?
- OAuth access token attribute based reverse proxying of http ressources
Related Questions in OWIN
- How does it work using ASP.NET FormAuthentication
- .NET 4.8 Owin OpenIdAuthentication: middleware not returning a 302 on full blown pages versus a test page
- Use Micosoft Owin authentication to login using MS Account belonging to an oranization as well as use local db credentials
- integration openiddict identityServer .net core 7 with client .net framework 4.8
- How to use Microsoft Entra (Azure AD) with a .NET Framework Self-Hosted OWIN WebAPI
- Is there a method in / on OAuthAuthorizationServerProvider that is called every time the User hits the webserver?
- Why does adding app.UseWebApi() cause MVC routes to go through WebApi MessageHandler?
- Keycloak Logout is not working with Owin.Security.Keycloak
- Owin Self-Hosted: SocketException (10054) An existing connection was forcibly closed by the remote
- Angular and ASP.NET OWIN with Azure AD
- OnSecurityTokenValidated method in OwinMiddleware is not getting called everytime
- Enable Both Microsoft Authentication (OpenID) and Custom Username Password authentication in .Net Web App
- OWIN Facebook login throws JsonReaderException
- The downloaded code from https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi does not build properly. Error for Nuget pckgs
- Trouble validating OpenIdConnectAuthentication setup for Azure AD integration in ASP.NET OWIN application
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
That's true: refresh tokens issued by the OAuth2 authorization server built in OWIN/Katana always have the same expiration date as access tokens ; even if you specify an explicit
ExpiresUtcproperty inAuthenticationPropertieswhen you callIOwinContext.Authentication.SignIn(identity, properties)https://github.com/yreynhout/katana-clone/blob/master/src/Microsoft.Owin.Security.OAuth/OAuthAuthorizationServerHandler.cs#L333
That's not really convenient for the reasons @Hans mentioned but you can override this behavior in
AuthenticationTokenProvider.CreateAsync(the class you use forOAuthAuthorizationServerOptions.RefreshTokenProvider):Simply set
context.Ticket.Properties.ExpiresUtcwith the expiration date of your choice, and the refresh token will be issued with a different expiration date:You can also take a look at
AspNet.Security.OpenIdConnect.Server, a fork of the OAuth2 authorization server offered by OWIN/Katana that has a nativeRefreshTokenLifetime: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/tree/devDon't hesitate to ping me if you need help.