Tuesday, February 6, 2018

ASP.NET Core–Use refresh token to acquire new access token

In an ASP.NET Core application we are building we are using OpenID Connect Hybrid flow.

From the Identity Server documentation:

Access tokens are a bit more sensitive than identity tokens, and we don’t want to expose them to the “outside” world if not needed. OpenID Connect includes a flow called “Hybrid Flow” which gives us the best of both worlds, the identity token is transmitted via the browser channel, so the client can validate it before doing any more work. And if validation is successful, the client opens a back-channel to the token service to retrieve the access token.

On our ASP.NET Core backend we use the acquired access token to call another API. However as an access token typically has a short lifetime, this only works until the access token is expired.  To refresh our access token, we can use a refresh token to acquire a new access token from our Security Token Service.

After trying multiple possible solutions, I ended up with an implementation where I use an ASP.NET Core MVC filter to handle this:

2 comments:

viji malar said...

This is so informative blog and i have used this 5 minutes thing very useful too happy with this blog........


MSBI Training in Chennai
Base SAS Training in Chennai
Hadoop Training in Chennai

lakshmi deepa said...


This is so informative blog and i have used this 5 minutes thing very useful too happy with this blog........
SAP FICO Training in Chennai