Asp.net OWIN Identity refresh tokens and token expiration

Question

I am trying to find good guidance on using the default OAuth Bearer token provider in the new ASP.net identity framework to handle token expiration and refresh tokens in a Single Page JavaScript Application. I understand the following things-

• A short access_token lifetime should be specified (the default is 14 days, but something like 5-20 mins is better)

• You can specify a RefreshTokenProvider that inherits from IAuthenticationTokenProvider

• The refresh token will be added to the OAuth token response from the OWIN endpoint

• You can now theoretically use the Refresh token and a "refresh_token" grant type to request a new token

What I don't understand is this-

• Sending the refresh token back in the token response seems un-safe? If a man in the middle were to intercept, they have everything they need to request new tokens.

• Granting refresh tokens is commonly tied to validating a Client ID and Client Secret. As far as I know, it is not possible to safely store these in a JS SPA.

So now I don't know where to go from here.. All I can think to do is force my users to logout and login back in after the token expiration, resending the initial password grant.

Answer 1

Sending the refresh token back in the token response seems un-safe? If a man in the middle were to intercept, they have everything they need to request new tokens.

SSL

Granting refresh tokens is commonly tied to validating a Client ID and Client Secret. As far as I know, it is not possible to safely store these in a JS SPA.

You are absolutely correct here. ClientSecret cannot be kept on the client. So you could simply have a server side endpoint that will return you a new access token from the current user session. The idea here is to keep the refresh token on the server and when the client needs a new access token it would request this endpoint. Obviously the client will need to be authenticated which could be achieved by common ASP.NET authentication.