Original post written by Andrea Chiarelli for Auth0 blog.
Security and user experience are two fundamental aspects of application development. Learn why and how to use refresh tokens in ASP.NET Core applications.
Security and user experience are two fundamental aspects of application development. It is not always easy to combine them, but there are techniques that allow you to achieve a good balance between the two. One example is the use of refresh tokens: they provide security when your application calls an API without compromising the user experience.
Learn how refresh tokens help you achieve this balance by exploring how to manage them in an ASP.NET Core application that calls an API.
The Need for Refresh Tokens
Access tokens authorize your application to call a protected API. You use them as bearer tokens in your HTTP requests, as shown in the following example:
GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer mF_9.B5f-4.1JqM
Make sure to use access tokens to call APIs. Don't be tempted to use ID tokens for this purpose. Check out this article to learn more about the difference between ID and access tokens.
Being a bearer token means that whoever is in possession of the token can use it to demonstrate they are authorized to access a resource, such as calling an API, for example.
To prevent access tokens from falling into the wrong hands, you need to apply some strategies, such as using HTTPS to avoid the token being intercepted by attackers, avoid storing it in easily accessible storage, and so on.
Creating access tokens with a short lifetime is one of the strategies that can contribute to reducing the risk of being compromised. With an access token expiring soon, the chances of an attacker being able to steal a still-valid token are reduced. Auth0 allows you to set your access token's lifetime through the dashboard.
That's awesome! But what happens when an access token expires while a user is using your application? Auth0 issues access tokens at login time. So, your user needs to authenticate again to get a new valid access token. Clearly, this is not a great user experience.
Refresh tokens enter the scene to remedy this situation. They are special tokens that let an application get new access tokens without having to ask the user to log in again. Here’s how they work at a high level:
- At login time, your application requests a refresh token along with the ID and access tokens.
- When your application needs to call an API and finds that the access token is expired, it requests Auth0 a new access token by sending the refresh token.
- Auth0 sends your application a new access token and a new refresh token.
- Your application uses the new access token to call the API and will use the new refresh token when this new access token expires. Providing a new refresh token helps mitigate the risk of replay attacks.
To learn more about refresh tokens and how they work, check out this article.
Now you have a high-level understanding of refresh tokens and why you should use them. But how can you use them in practice in an ASP.NET Core application? Let's start our journey.
Top comments (0)