Token Refresh with Asp.NET Identity

Token Refresh with Asp.NET Identity

Step by step guide on how refresh Asp.NET API Json Web Tokens (JWT)

The Need

Every properly issued JWT (Json Web Token) has an expiry date, generally within minutes of issuance, and once the expiry date is passed, the token becomes invalid and needs to be re-issued. If the token couldnt be renewed, the user needs to be redirected to the Login page, to acquire their credentials again. In this post, I will cover how to re-issue a new token based on an expired one.

By the way, this topic belongs to the series to set up Authentication and Authorisation for Asp.NET and React ecosystems.

1. Asp.Net Core Web Api Setup

2. React Single Page App Setup

3. Asp.NET Identity DB Setup

4. Email Sender

5. Sign Up & Activation

6. Check User Authentication Status

7. Change Password

8. Sign In

9. Policy Based Access Management

10. Token Refresh

11. Google Authentication with React and Asp.NET API

12. Microsoft Authentication with React and Asp.NET API

13. Twitter Authentication with React and Asp.NET API

Asp.NET Identity comes with Token Validation Services. When I generate every pair of AccessToken and Refresh token at Login time, I also save them into the database using SetAuthenticationTokenAsync method of Asp.NET Identity UserManager, like the code below:

Note
Configuration, plumbing and troubleshooting your software foundation take a considerable amount of time in your product development. Consider using Pellerex which is a complete foundation for your enterprise software products, providing source-included Identity and Payment functions across UI(React), API(.NET), Pipeline(Azure DevOps) and Infrastructure(Kubernetes).

All I need to do to verify an already issued RefreshToken, is to use the VerifyUserTokenAsync method of UserManager and pass the arguments and get a validation response like below:

If you like to read more on the last two methods GetUserClaims, and GenerateTokens, refer to my detailed post on SignIn with React and Asp.NET API.

Also if you have a need to automate the Refresh Token process into your UI, refer to calling secured API in React using Axios.

Summary

In this post I explained the need for Refresh Tokens, and how to use them to issue a new pair of Access Token and Refresh Token, to avoid forcing the user to go through the login process again.