OpenIddict Refresh Token Flow issue ASP.NET Core

Question

I am trying to set my refresh token life time to 2 weeks. I have tried via .. FromSeconds, FromMinutes, FromHours, but it always sets the refresh token to the same lifetime as the access token. I would appreciate any help. This is what I currently have in my configureServices:

services.AddOpenIddict(options =>
{
    // Register the Entity Framework stores.
    options.AddEntityFrameworkCoreStores<AppDbContext>();

    // Register the ASP.NET Core MVC binder used by OpenIddict.
    // Note: if you don't call this method, you won't be able to
    // bind OpenIdConnectRequest or OpenIdConnectResponse parameters.
    options.AddMvcBinders();

    // Enable the token endpoint.
    options.EnableTokenEndpoint("/connect/token");

    // Enable the password flow.
    options.AllowPasswordFlow()
            .AllowRefreshTokenFlow()
            .SetAccessTokenLifetime(TimeSpan.FromMinutes(1))
            .SetRefreshTokenLifetime(TimeSpan.FromMinutes(20160));

    // During development, you can disable the HTTPS requirement.
    options.DisableHttpsRequirement();
});

Answer 1

Please note: the following post won't resolve the issue: http://kosmisch.net/Blog/DotNetEssential/Archive/2017/9/11/openiddict-refresh-token-flow-issue-aspnet-core-20.html

Latest summary about the issue: When login with user name and password, the following data is inserted into openiddicttoken table:

Id  ApplicationId   AuthorizationId Ciphertext  End Hash    Start   Status  Subject Type

1 NULL NULL NULL 2017-10-12 11:24:26.0000000 +00:00 NULL 2017-09-12 11:24:26.0000000 +00:00 valid 1 refresh_token

Then a refresh_token grant type request was done. The above record is updated with only change is the Status column, which has changed from valid to redeemed

Id  ApplicationId   AuthorizationId Ciphertext  End Hash    Start   Status  Subject Type

1 NULL NULL NULL 2017-10-12 11:24:26.0000000 +00:00 NULL 2017-09-12 11:24:26.0000000 +00:00 redeemed 1 refresh_token

And the response JSON doesn't include the new refresh token attribute.

I think for the second refresh, I thought at least one of the Start or End column should change since I configured to use sliding expiration.

But it is not the case. So I think there might be one issue with this refresh token method. Could you please have a look?

In the example: https://github.com/openiddict/openiddict-samples/tree/dev/samples/RefreshFlow

I downloaded and I can see each time when a refresh is done, a new token will be inserted, which is very different from the behaviour I had. BTW, I have changed the sample code to use slide expiration as well.

The main difference is my model is using int as TKey while the sample is using GUID. So I am wondering whether this is something to do with that?

options.UseOpenIddict<int>();

Found out the root cause for my issue:

 // Create a new authentication ticket holding the user identity.
        var ticket = new AuthenticationTicket(principal, *new AuthenticationProperties(),* OpenIdConnectServerDefaults.AuthenticationScheme);

While it should be:

// Create a new authentication ticket holding the user identity.
        var ticket = new AuthenticationTicket(principal, properties, OpenIdConnectServerDefaults.AuthenticationScheme);