Asp.net core 2 AuthenticationProperties storing jwt tokens

Question

I am trying to get a better understanding of how jwt tokens are stored (id, access, refresh). When you add OpenIdConnect, one of the options you can set is saving tokens. With below configuration, whenever the user logs in, the jwt tokens are generated (without having to have a separate call to the authorization endpoint to retrieve tokens).

.AddOpenIdConnect("Test", options => {  
                options.SaveTokens = true;
}

From what I have read, they are saved in the AuthenticationProperties collection returned along with the ClaimsPrincipal. You can retrieve them via HttpContext.GetTokenAsync.

Example below:

var accessToken = await HttpContext.GetTokenAsync("access_token");

I am trying to understand more about how these values are stored and retrieved. I know that the claimsprincial is a collection of identities / claims associated with a user. But how exactly are authentication properties set? How can I access the collection of authentication properties individually? Is there a class / interface I can use to get direct access to the class properties? I didn't see anything about authentication properties in the ClaimsPrincial class.

Also, as the access token is stored in the authentication properties, is the only way to update the value is to re-authenticate (ie challenge the user to login again)? How can I update the value? Or would it be better off extracting the value is storing it elsewhere to update?

Answer 1

I have been looking into this a bit myself as well. The OpenID Connect middleware seems to usually persist data into a signed cookie via a second cookie authentication scheme, specified by the SignInScheme option. Extending your example from before with an explicitly configured example:

.AddOpenIdConnect("Test", options => {  
    options.SignInScheme = "MyCookieScheme";
    options.SaveTokens = true;
}

This example implies that a cookie authentication scheme has also been set up with a call like this:

.AddCookie("MyCookieScheme")

From the documentation comments on SignInScheme:

Gets or sets the authentication scheme corresponding to the middleware responsible of persisting user's identity after a successful authentication. This value typically corresponds to a cookie middleware registered in the Startup class. When omitted, Microsoft.AspNetCore.Authentication.AuthenticationOptions.DefaultSignInScheme is used as a fallback value.

(Note that this property actually comes from a RemoteAuthenticationOptions class that OpenIdConnectOptions extends)

Tracing what happens in default setup scenarios where you don't explicitly give a cookie authentication scheme is a bit tricky but I imagine it sets one up by default, or relies on one being there. Also, I guess that in theory, any other type of authentication scheme could be used for this persistence (eg your own JWT issuing and signing scheme), but I have not seen any examples of this.

As for what is actually stored in the cookie and how it gets put there by the OpenID Connect middleware, you would probably have to do a lot of digging through all of the code to work that out for sure - the specifics of all this low-level middleware doesn't seem to have been documented much yet. All I know for sure is that the DataProtection middleware is involved in encrypting the contents of the cookie.

You could look into decrypting the cookie itself to see what's there - see the answers here: How to manually decrypt an ASP.NET Core Authentication cookie?

(oh and for the record, all these examples are based off ASP.NET Core v2.0)