Hello friends, In this article I will be showing you today How to add refresh tokens to our JWT authentication to our Asp.Net Core REST API
Some...
For further actions, you may consider blocking this person and/or reporting abuse
Some fixes for the article:
If you need lifetime of token less than 5 mins, add
ClockSkewproperty inStartup.cs:Don't forget to use UTC instead of local time. You will need to fix method
GenerateJwtToken:Thanks a lot Grand for these fixes, I am planning to add them this week.
If you want you can add a PR on the GitHub repo and I will merge them t
Hi Mohamad, Im using v8-refreshtokenswithJWT and when I trY to RefreshToken I have always Token has expired please re-login. This behavior succeds in line:
Then the software dont continue
Can you help me please. What can I do for fix it?
Thanks
The project works if I change ValidateLifetime to false
This is a good solution?
Thanks
Hi Walter, there is a small bug related to regeneration of the refresh token. I will push a fix for this within this week. We should always keep it to true
Thanks Mohamad
Hi Walter, hi Mohamad,
I'm still facing the same issue as described above. "jwtTokenHandler.ValidateToken" always throws an token expires exception. Is the bug fixed already?
Thank you and greetings.
Alex
How did you define the
ExpiryTimeFramein JWTConfig model?After the token expires, how would the automatic re-authentication take place when you're pointing to the login endpoint again?
Does it mean that we have to store the login info in our app? Please elaborate if i misunderstood.
Hey I have a question, great tutorial btw, thanks for making it.
If user wants to refresh access token, it also gets new refresh token, shouldn't we just remove the old refresh token instead of marking it as used?
For compliance reason you might keep them for a certain amount of time and then remove them.
Hi Mohamad, love the article!
Should the accessToken expire after 30 seconds? And when it does how is this handled? Using Swagger the token doesn't seem to be 401ing when i'm accessing the api/todo.
I have downloaded v8.
Thanks in advance.
Lee
Hi Lee, I think you can configure the token to for 5 min and then it can expire and use the refresh token to get a new one. There is a bug in the code in V8. I will be pushing a fix this week for it
Hi Mohamad!
I have been following the currently 3-part series and continue to enjoy every video. I am currently experiencing a problem with the token not expiring and I think it is happening on Validation #3.
I'm finding that the expiryDate and DateTime.UtcNow values are too far apart to even expire. For example, at the time of running, my expiryDate value = '03/09/21 8:56:38 am' and my DateTime.UtcNow = '03/09/21 2:57:06 pm'.
I did end up using you exact code in GIT to make sure I'm getting the same results. Still no resolution. Then I started thinking, I am using zScaler to log into our network and wondering if that is having problems with date/time. However my expiryDate value is my local and accurate time.
Any ideas to why I cannot get my token to expire?
Thanks,
Bob
Hi Bob,
Thank you for your feedback and comment, I will push an update to git repo to fix.
I apologise for the delay.
Hi Mohamad!
I have a question, why use RefreshToken, it seems that only using Token can also refresh the token.
Thanks in advance.
Zhe
Refresh token is similar to a backup key to get back new token in case it is expired or lost. You are sending the token over the internet many times so it "maybe" stolen.
That why we keep token expiration time is shorter a lot to the refresh token.
Thank you for your answer.
I understand that the purpose of JWT is to not store data on the server side. Now that the RefreshToken must be stored on the server side, does it violate the purpose of JWT? I feel that this approach is very similar to Session
tnx dear Muhmad. that was awesome
hi Mohamad, thanks a lot for this series; truly great work.. I had an issue similar to some others where RefreshToken was not working since the token parameter validations enforce ValidateLifeTime and the only time you want to refresh the token after it's expired. So I have added another TokenValidationParams only to be used during Refresh Token creation and set the ValidateLifetime to false
var refreshTokenValidationParams = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(key),
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = false,
RequireExpirationTime = true
};
services.AddSingleton(refreshTokenValidationParams);
I've also updated the AuthManagementController constructor to call refreshTokenValidationParams
public AuthManagementController(UserManager userManager, IOptionsMonitor optionsMonitor, TokenValidationParameters refreshTokenValidationParams, BeanDataContext beanDataContext)
This fixed my issue but I dont know if this is the most elegant solution or a good solution at all. So I wanted to put here in the hope that someone will tell me if there is a better way of doing it. Thanks a lot for your time and efforts to put this series together
Thank you very much for your feedback, maybe you can push your code to the repo and will review it there so other people will be able to benefit
Hi Mohamad Lawand,
I did not find any Logout functionality here. can you please implement it or can you help via a comment for logout functionality in the same "AuthManagementController" controller?
Hi Mohamad, Thank you for great article.
If you have time can you please add another part for 2fa authentication for web api.
there isn't any good article about that part. or I didn't find...
Thank you for your kind feedback will add this topic to my list
Every time I call a RefreshToken API I get this message: "Token has expired please re-login". (I'm using lastest codes)
Edit TokenValidationParams Like @candede said
NEVER use datetime. ALWAYS use DatetimeOffset. You get timezone handling abd not confusion between a date over here and a date over there.
Hi, how is it possible to get current user in controller?
Hello, I have a question about JWT, if the server can't store or remember the token after req, so how can the server check if the token sent by the client is valid or hasn't been modified