Lifetime of Refresh Tokens with Katana OAuthAuthorizationServer

StackOverflow https://stackoverflow.com/questions/19409085

  •  30-06-2022
  •  | 
  •  

Question

From the source code sandbox Webserver, refresh tokens was done like this:

RefreshTokenProvider = new AuthenticationTokenProvider
{
    OnCreate = CreateRefreshToken,
    OnReceive = ReceiveRefreshToken,
}

private void CreateRefreshToken(AuthenticationTokenCreateContext context)
{
    context.SetToken(context.SerializeTicket());
}

private void ReceiveRefreshToken(AuthenticationTokenReceiveContext context)
{
    context.DeserializeTicket(context.Token);
}

This create refresh tokens that have the same lifetime as the access tokens.

What would be appropriate lifetime for a refresh token and what would be the suggested way of telling that to the OAuthAuthorizationServer. Theres no options for it, and I am wondering if I should just change it on the ticket in the context of above createRefreshToken.

Was it helpful?

Solution

What would be appropriate lifetime for a refresh token

Its all dependent on use-case. RefreshToken lifetime can be based on the application requirement. Google oAuth has "Refresh tokens are valid until the user revokes access".

what would be the suggested way of telling that to the OAuthAuthorizationServer.

Yes, you are right for the approach. you can set it to Tiken in the context.

private void CreateRefreshToken(AuthenticationTokenCreateContext context)
{
    context.Ticket.Properties.ExpiresUtc = new DateTimeOffset(DateTime.Now.AddMonths(2));
    context.SetToken(context.SerializeTicket());
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top