I am creating a Asp.net Core REST service. Currently doing authentication via JWT bearer tokens.
Right now, my code looks like:
DateTimeOffset dtNow = DateTime.Now;
Claim[] claims = new Claim[]
{
new Claim(JwtRegisteredClaimNames.Sub, strUsername),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim(JwtRegisteredClaimNames.Iat, dtNow.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64)
};
JwtSecurityToken jwtAccess = new JwtSecurityToken(_options.Issuer, _options.Audience, claims, dtNow.DateTime, dtNow.DateTime.Add(_options.AccessTokenExpiration),
_options.SigningCredentials);
var response = new
{
access_token = new JwtSecurityTokenHandler().WriteToken(jwtAccess),
token_type = "Bearer",
expires_in = (int)_options.AccessTokenExpiration.TotalSeconds,
refresh_token = ""
};
Questions:
This is all dependent on the needs of your application but these do sound like reasonable numbers.
They are not created the same. An access token is typically a token that contains the JWT. A refresh token is a reference token that must be saved on the provider and the looked back up when it is passed in for a new access token.
Refresh tokens do not have a signature to verify. Basically you will pass over the information like client Id and secret plus the refresh token and this will allow you to get a new access token. Like a username and password being saved for a long period of time that can be blacklisted if necessary.
No you can update the refresh token every time they request a new access token this will give you a "sliding" refresh token.
They can have different tokens for each app but per application it is fine to overwrite their previous refresh token when they do a new login.
Yes the users will have to get a new access token ever ~30 minutes but this also helps when your role provider is not the same as your application. This gives an API a way to look at roles without having to call the authorization server. The number of requests saves is drastic when you house the information in the token and only have to re-get that information every 30 minutes instead of an extra HTTP request to a separate server for every API call or post back.
Hopefully some of this was helpful. I am speaking for minor experience but there are very good resources explaining this stuff from Auth0 or basically anything from the guys on IdentityServer3 (and now 4)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.