84

I am using the Web Api 2 template that comes with Visual Studio 2013 has some OWIN middleware to do User Authentication and the likes of.

In the OAuthAuthorizationServerOptions I noticed that the OAuth2 Server is setup to hand out tokens that expire in 14 days

 OAuthOptions = new OAuthAuthorizationServerOptions
 {
      TokenEndpointPath = new PathString("/api/token"),
      Provider = new ApplicationOAuthProvider(PublicClientId,UserManagerFactory) ,
      AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
      AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
      AllowInsecureHttp = true
 };

This is not suitable for my latest project. I would like to hand out short lived bearer_tokens that can be refreshed using a refresh_token

I have done lots of googling and can't find anything helpful.

So this is how far I have managed to get. I have now reached the point of "WTF do I now".

I have written a RefreshTokenProvider that implements IAuthenticationTokenProvider as per the RefreshTokenProvider property on OAuthAuthorizationServerOptions class:

    public class SimpleRefreshTokenProvider : IAuthenticationTokenProvider
    {
       private static ConcurrentDictionary<string, AuthenticationTicket> _refreshTokens = new ConcurrentDictionary<string, AuthenticationTicket>();

        public async Task CreateAsync(AuthenticationTokenCreateContext context)
        {
            var guid = Guid.NewGuid().ToString();


            _refreshTokens.TryAdd(guid, context.Ticket);

            // hash??
            context.SetToken(guid);
        }

        public async Task ReceiveAsync(AuthenticationTokenReceiveContext context)
        {
            AuthenticationTicket ticket;

            if (_refreshTokens.TryRemove(context.Token, out ticket))
            {
                context.SetTicket(ticket);
            }
        }

        public void Create(AuthenticationTokenCreateContext context)
        {
            throw new NotImplementedException();
        }

        public void Receive(AuthenticationTokenReceiveContext context)
        {
            throw new NotImplementedException();
        }
    }

    // Now in my Startup.Auth.cs
    OAuthOptions = new OAuthAuthorizationServerOptions
    {
        TokenEndpointPath = new PathString("/api/token"),
        Provider = new ApplicationOAuthProvider(PublicClientId,UserManagerFactory) ,
        AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
        AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(2),
        AllowInsecureHttp = true,
        RefreshTokenProvider = new RefreshTokenProvider() // This is my test
    };

So now when someone requests a bearer_token I am now sending a refresh_token, which is great.

So now how do I uses this refresh_token to get a new bearer_token, presumably I need to send a request to my token endpoint with some specific HTTP Headers set?

Just thinking out loud as I type... Should I handle refresh_token expiration in my SimpleRefreshTokenProvider? How would a client obtain a new refresh_token?

I could really do with some reading material / documentation because I don't want to get this wrong and would like to follow some sort of standard.

SimonGates
  • 5,961
  • 4
  • 40
  • 52
  • 7
    There is a great tutorial on implementing refresh tokens using Owin and OAuth: http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ – Philip Sep 30 '15 at 21:00

4 Answers4

84

Just implemented my OWIN Service with Bearer (called access_token in the following) and Refresh Tokens. My insight into this is that you can use different flows. So it depends on the flow you want to use how you set your access_token and refresh_token expiration times.

I will describe two flows A and B in the follwing (I suggest what you want to have is flow B):

A) expiration time of access_token and refresh_token are the same as it is per default 1200 seconds or 20 minutes. This flow needs your client first to send client_id and client_secret with login data to get an access_token, refresh_token and expiration_time. With the refresh_token it is now possible to get a new access_token for 20 minutes (or whatever you set the AccessTokenExpireTimeSpan in the OAuthAuthorizationServerOptions to). For the reason that the expiration time of access_token and refresh_token are the same, your client is responsible to get a new access_token before the expiration time! E.g. your client could send a refresh POST call to your token endpoint with the body (remark: you should use https in production) 

grant_type=refresh_token&client_id=xxxxxx&refresh_token=xxxxxxxx-xxxx-xxxx-xxxx-xxxxx

to get a new token after e.g. 19 minutes to prevent the tokens from expiration.

B) in this flow you want to have a short term expiration for your access_token and a long term expiration for your refresh_token. Lets assume for test purpose you set the access_token to expire in 10 seconds (AccessTokenExpireTimeSpan = TimeSpan.FromSeconds(10)) and the refresh_token to 5 Minutes. Now it comes to the interesting part setting the expiration time of refresh_token: You do this in your createAsync function in SimpleRefreshTokenProvider class like this:

var guid = Guid.NewGuid().ToString();


        //copy properties and set the desired lifetime of refresh token
        var refreshTokenProperties = new AuthenticationProperties(context.Ticket.Properties.Dictionary)
        {
            IssuedUtc = context.Ticket.Properties.IssuedUtc,
            ExpiresUtc = DateTime.UtcNow.AddMinutes(5) //SET DATETIME to 5 Minutes
            //ExpiresUtc = DateTime.UtcNow.AddMonths(3) 
        };
        /*CREATE A NEW TICKET WITH EXPIRATION TIME OF 5 MINUTES 
         *INCLUDING THE VALUES OF THE CONTEXT TICKET: SO ALL WE 
         *DO HERE IS TO ADD THE PROPERTIES IssuedUtc and 
         *ExpiredUtc to the TICKET*/
        var refreshTokenTicket = new AuthenticationTicket(context.Ticket.Identity, refreshTokenProperties);

        //saving the new refreshTokenTicket to a local var of Type ConcurrentDictionary<string,AuthenticationTicket>
        // consider storing only the hash of the handle
        RefreshTokens.TryAdd(guid, refreshTokenTicket);            
        context.SetToken(guid);

Now your client is able to send a POST call with a refresh_token to your token endpoint when the access_token is expired. The body part of the call may look like this: grant_type=refresh_token&client_id=xxxxxx&refresh_token=xxxxxxxx-xxxx-xxxx-xxxx-xx

One important thing is that you may want to use this code not only in your CreateAsync function but also in your Create function. So you should consider to use your own function (e.g. called CreateTokenInternal) for the above code. Here you can find implementations of different flows including refresh_token flow(but without setting the expiration time of the refresh_token)

Here is one sample implementation of IAuthenticationTokenProvider on github (with setting the expiration time of the refresh_token)

I am sorry that I can't help out with further materials than the OAuth Specs and the Microsoft API Documentation. I would post the links here but my reputation doesn't let me post more than 2 links....

I hope this may help some others to spare time when trying to implement OAuth2.0 with refresh_token expiration time different to access_token expiration time. I couldn't find an example implementation on the web (except the one of thinktecture linked above) and it took me some hours of investigation until it worked for me.

New info: In my case I have two different possibilities to receive tokens. One is to receive a valid access_token. There I have to send a POST call with a String body in format application/x-www-form-urlencoded with the following data 

client_id=YOURCLIENTID&grant_type=password&username=YOURUSERNAME&password=YOURPASSWORD

Second is if access_token is not valid anymore we can try the refresh_token by sending a POST call with a String body in format application/x-www-form-urlencoded with the following data grant_type=refresh_token&client_id=YOURCLIENTID&refresh_token=YOURREFRESHTOKENGUID

Anton Sizikov
  • 9,105
  • 1
  • 28
  • 39
Freddy
  • 1,022
  • 9
  • 16
  • 1
    one of your comments says "consider storing ony the hash of the handle", shouldn't that comment apply to the line above? The ticket holds the original guid, but we only store the hash of the guid in `RefreshTokens`, so if `RefreshTokens` is leaked, an attacker cannot use that information!? – esskar Oct 06 '14 at 09:56
  • it seems like it; asked the OA: https://github.com/thinktecture/Thinktecture.IdentityModel/commit/108294df9500f15ed4a19e3cc1a6f204b48fb08e – esskar Oct 06 '14 at 10:05
  • In flow A, everytime you refresh the page you can reset the javascript timer for a new count down to 19 minutes. But then does that mean you have to get a new access token and refresh token on every page refresh? That sounds wasteful of tokens if true :) Cant the expiry time of existing token be extended? – user20358 Apr 10 '15 at 15:12
  • 1
    As described in flow B you can set the expiration time for access_token by using AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60) for one hour or FromWHATEVER for the time you want the access_token to expire. But be aware that if you are using refresh_token in your flow the expiration time of your refresh_token should be higher than the one of your access_token. So for example us 24 hours for access_token and 2 month for refresh_token. You can set the expiration time of access_token in OAuth configuration. – Freddy Apr 12 '15 at 06:25
  • You can always set expiration time of both token types - this is not dependant on the flow you are using. – Freddy Apr 12 '15 at 06:31
  • See [my answer below](http://stackoverflow.com/a/34629748/1746803) for an implementation of token hashing. – Knelis Jan 06 '16 at 09:39
  • what is client_id, does the client have to send that? if so where does it get it from in the first place? – raklos Jun 16 '16 at 10:17
  • 12
    Don't use Guids for your tokens nor hashes of them, it isn't secure. Use the System.Cryptography namespace to generate a random byte array and convert that to a string. Otherwise your refresh tokens can be guessed by brute force attacks. – Bon Jun 20 '16 at 19:11
  • Nice answer ! I want to implement Digits for authentication which will provide me client id and then how can i will pass that to generate access-token and refresh-token using OAuth 2.0? – Neo May 16 '17 at 04:33
  • 1
    @Bon You're gonna brute-force-guess a Guid? Your rate limiter should kick in way before the attacker could post even a handful of requests. And if not, it's still a Guid. – lonix May 22 '19 at 09:48
  • @linux no I'm not. Not purely that is. But I might be able to guess and limit the problem space substantially. https://stackoverflow.com/questions/3652944/how-securely-unguessable-are-guids – Bon May 23 '19 at 10:08
  • @lonix GUID generator doesn't satisfy the [next-bit test](https://en.wikipedia.org/wiki/Next-bit_test), thus it's not a cryptographically secure pseudorandom number generator – Vladi Pavelka Aug 26 '19 at 15:22
46

You need to implement RefreshTokenProvider. First create class for RefreshTokenProvider ie.

public class ApplicationRefreshTokenProvider : AuthenticationTokenProvider
{
    public override void Create(AuthenticationTokenCreateContext context)
    {
        // Expiration time in seconds
        int expire = 5*60;
        context.Ticket.Properties.ExpiresUtc = new DateTimeOffset(DateTime.Now.AddSeconds(expire));
        context.SetToken(context.SerializeTicket());
    }

    public override void Receive(AuthenticationTokenReceiveContext context)
    {
        context.DeserializeTicket(context.Token);
    }
}

Then add instance to OAuthOptions.

OAuthOptions = new OAuthAuthorizationServerOptions
{
    TokenEndpointPath = new PathString("/authenticate"),
    Provider = new ApplicationOAuthProvider(),
    AccessTokenExpireTimeSpan = TimeSpan.FromSeconds(expire),
    RefreshTokenProvider = new ApplicationRefreshTokenProvider()
};
Mauricio
  • 461
  • 4
  • 2
  • This will create and return a new refresh token everytime, even tho you might only be intressted in returning a new access token and not a new refresh token aswell. For instance wen calling for a access token but with a refresh token and not credentials(username/password). Is there anyway to avoid this? – Mattias Mar 03 '16 at 13:18
  • You can, but it isn't pretty. The `context.OwinContext.Environment` contains a `Microsoft.Owin.Form#collection` key which gives you a `FormCollection` where you can find the grant type and add a token accordingly. It's leaking the the implementation, it may break at any point with future updates, and I'm unsure if it is portable between OWIN hosts. – hvidgaard Mar 10 '16 at 12:05
  • 3
    you can avoid issuing a new refresh token every time by reading the "grant_type" value from the OwinRequest object, like so: `var form = await context.Request.ReadFormAsync();` `var grantType = form.GetValue("grant_type");` then issue the refresh token if grant type is not "refresh_token" – Duy Mar 16 '16 at 05:07
  • 1
    @mattias You'd still want to return a new refresh token in that scenario. Otherwise the client is left in a lurch after refreshing for the first time, because the second access token expires and they have no way to refresh without prompting for credentials again. – Eric Eskildsen Sep 20 '17 at 20:44
9

I don't think that you should be using an array to maintain tokens. Neither you need a guid as a token.

You can easily use context.SerializeTicket().

See my below code.

public class RefreshTokenProvider : IAuthenticationTokenProvider
{
    public async Task CreateAsync(AuthenticationTokenCreateContext context)
    {
        Create(context);
    }

    public async Task ReceiveAsync(AuthenticationTokenReceiveContext context)
    {
        Receive(context);
    }

    public void Create(AuthenticationTokenCreateContext context)
    {
        object inputs;
        context.OwinContext.Environment.TryGetValue("Microsoft.Owin.Form#collection", out inputs);

        var grantType = ((FormCollection)inputs)?.GetValues("grant_type");

        var grant = grantType.FirstOrDefault();

        if (grant == null || grant.Equals("refresh_token")) return;

        context.Ticket.Properties.ExpiresUtc = DateTime.UtcNow.AddDays(Constants.RefreshTokenExpiryInDays);

        context.SetToken(context.SerializeTicket());
    }

    public void Receive(AuthenticationTokenReceiveContext context)
    {
        context.DeserializeTicket(context.Token);

        if (context.Ticket == null)
        {
            context.Response.StatusCode = 400;
            context.Response.ContentType = "application/json";
            context.Response.ReasonPhrase = "invalid token";
            return;
        }

        if (context.Ticket.Properties.ExpiresUtc <= DateTime.UtcNow)
        {
            context.Response.StatusCode = 401;
            context.Response.ContentType = "application/json";
            context.Response.ReasonPhrase = "unauthorized";
            return;
        }

        context.Ticket.Properties.ExpiresUtc = DateTime.UtcNow.AddDays(Constants.RefreshTokenExpiryInDays);
        context.SetTicket(context.Ticket);
    }
}
peeyush rahariya
  • 391
  • 3
  • 4
3

Freddy's answer helped me a lot to get this working. For the sake of completeness here's how you could implement hashing of the token:

private string ComputeHash(Guid input)
{
    byte[] source = input.ToByteArray();

    var encoder = new SHA256Managed();
    byte[] encoded = encoder.ComputeHash(source);

    return Convert.ToBase64String(encoded);
}

In CreateAsync:

var guid = Guid.NewGuid();
...
_refreshTokens.TryAdd(ComputeHash(guid), refreshTokenTicket);
context.SetToken(guid.ToString());

ReceiveAsync:

public async Task ReceiveAsync(AuthenticationTokenReceiveContext context)
{
    Guid token;

    if (Guid.TryParse(context.Token, out token))
    {
        AuthenticationTicket ticket;

        if (_refreshTokens.TryRemove(ComputeHash(token), out ticket))
        {
            context.SetTicket(ticket);
        }
    }
}
Community
  • 1
  • 1
Knelis
  • 6,782
  • 2
  • 34
  • 54
  • How does hashing help in this case? – Ajaxe Feb 23 '16 at 01:38
  • 3
    @Ajaxe: The original solution stored the Guid. With hashing we're not keeping the plain-text token but its hash. If you store the tokens in a database for example, it's better to store the hash. If the database is compromised, the tokens are unusable as long as they're encrypted. – Knelis Feb 23 '16 at 11:09
  • Not only to protect against external threats, but also to prevent employees (who have access to the database) from stealing the tokens. – lonix May 22 '19 at 09:45