Skip to content

OAuth 2 refresh token support #8175

New issue
New issue
Open
Feature
Open
OAuth 2 refresh token support#8175
Feature
Labels
affected-mediumThis issue impacts approximately half of our customersarea-authIncludes: Authn, Authz, OAuth, OIDC, BearerenhancementThis issue represents an ask for new feature or an enhancement to an existing oneseverity-majorThis label is used by an internal tool
Milestone
 
Backlog
@nelle775

Description

@nelle775
nelle775
opened on Mar 4, 2019

The OAuthHandler class does not provide any option to expire the underlying Cookie ticket upon expiry of the Bearer Token, also it does not have any support for Refresh tokens other than storing the value in AuthenticationProperties.

I Suggest the following:
Add a property: bool ExpireUponTokenExpiry to RemoteAuthenticationOptions

On authenticating ticket, check this property
if false just return AuthenticateResult.Success upon validating the ticket
if true and bearer token is not expired return AuthenticateResult.Success
if true and bearer token is expired
-> if refresh_token isSet in AuthenticationProperties, Exhange the refresh token for new bearer token through http backchannel,
-> if no refresh_token is set, start a new OAuth authentication flow, with RedirectResult

Activity

blowdart
added
area-authIncludes: Authn, Authz, OAuth, OIDC, Bearer
on Mar 4, 2019
Tratcher

Tratcher commented on Mar 4, 2019

@Tratcher
Tratcher
on Mar 4, 2019
Member

The UseTokenLifetime OIDC option already does part of this, tying the cookie lifetime to the token lifetime, though most people don't like it and have turned it off.

The biggest gap in the suggested design is that RemoteAuth.AuthenticateAsync doesn't run every request, it only runs during sign-in. After sign-in it's CookieAuth.AuthenticateAsync that runs every request and it doesn't know about the upstream details.

The other big gap is that refresh is not a well standardized behavior for OAuth. I tried it with a few of our common providers and only two out of five were able to share any of their logic. This was my last experiment at refresh: https://github.com/aspnet/AspNetCore/blob/39e52578d354a6a7abb3f6169d5ac2174ffe4551/src/Security/Authentication/samples/SocialSample/Startup.cs

We do need to provide better refresh support, but I doubt it would ever be completely automatic. A big reason is concurrency. If you have any parallel requests from the same user they would all start attempting the refresh as soon as the token expired. A better pattern I've seen is to only refresh the token when you go to use it. That cuts down the concurrency as you only use that token on a small subset of requests.

Eilon
added this to the Backlog milestone on Mar 26, 2019
Eilon

Eilon commented on Mar 26, 2019

@Eilon
Eilon
on Mar 26, 2019
Contributor

Placing in backlog so we can consider in a future version.

Tratcher
added
affected-mediumThis issue impacts approximately half of our customers
enhancementThis issue represents an ask for new feature or an enhancement to an existing one
severity-majorThis label is used by an internal tool
on Nov 10, 2020
AdamWyzgol

AdamWyzgol commented on Sep 22, 2024

@AdamWyzgol
AdamWyzgol
on Sep 22, 2024

really still in backlog? since 2019?

halter73
modified the milestones: Backlog, .NET 10 Planning on Sep 27, 2024
halter73

halter73 commented on Sep 27, 2024

@halter73
halter73
on Sep 27, 2024 · edited by halter73
Member

Moving out of backlog for consideration in .NET 10. We could look at CookieOidcRefresher for inspiration although that's specifically for the OpenIdConnectHandler rather than the OAuthHandler. It would be nice to add refresh support to both.

#55213 is related but even tricker because in the case of Blazor Server interactivity it's harder to store the refreshed tokens in an updated cookie

Fronix

Fronix commented on Nov 8, 2024

@Fronix
Fronix
on Nov 8, 2024

For anyone who keeps returning here hoping for some type of revelation:

https://github.com/DuendeSoftware/Duende.AccessTokenManagement has created something that seems to work and has working examples...

josephdecock

josephdecock commented on Nov 8, 2024

@josephdecock
josephdecock
on Nov 8, 2024 · edited by josephdecock
Contributor

Thanks for the shoutout @Fronix! I'm one of the maintainers of Duende.AccessTokenManagement, so I thought I'd chime in. We're an apache licensed library sponsored by Duende Software for automatically managing access tokens.

In addition to simple token management, we also have support for DPoP (sender constrained tokens). And we have an extensibility point for storing tokens outside of cookies (especially helpful for Blazor Server).

developer9969

developer9969 commented on Dec 16, 2024

@developer9969
developer9969
on Dec 16, 2024

@josephdecock Hi come across this thread and also used in a pluralsight course I have just watched, my question is , is the accesstokenManagment nuget free to use in commercial application?

brockallen

brockallen commented on Dec 16, 2024

@brockallen
brockallen
on Dec 16, 2024 · edited by brockallen

Hi come across this thread and also used in a pluralsight course I have just watched, my question is , is the accesstokenManagment nuget free to use in commercial application?

Yes, Apache2.

https://www.nuget.org/packages/Duende.AccessTokenManagement

9 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    affected-mediumThis issue impacts approximately half of our customersarea-authIncludes: Authn, Authz, OAuth, OIDC, BearerenhancementThis issue represents an ask for new feature or an enhancement to an existing oneseverity-majorThis label is used by an internal tool

    Type

    Projects

    No projects

    Milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @halter73@AdamWyzgol@Eilon@Fronix@brockallen

        Issue actions
          OAuth 2 refresh token support · Issue #8175 · dotnet/aspnetcore