search

openiddict / openiddict-core

Flexible and versatile OAuth 2.0/OpenID Connect stack for .NET
https://openiddict.com/
Apache License 2.0
4.34k stars 507 forks source link

Refresh flow doesn't return refresh token #599

Closed ngohungphuc closed 6 years ago

ngohungphuc commented 6 years ago

Hi @PinpointTownes I have the problem with the refresh flow. The refresh flow doesn't return refresh_token postman_2018-05-05_21-18-55

Here is my author controller https://github.com/Awesome-CMS-Core/Awesome-CMS-Core/blob/ACC-login-redirect/src/AwesomeCMSCore/Modules/AwesomeCMSCore.Modules.Account/Controllers/API/AuthorizationController.cs

And my start up code https://github.com/Awesome-CMS-Core/Awesome-CMS-Core/blob/ACC-login-redirect/src/AwesomeCMSCore/AwesomeCMSCore/Extension/ServiceCollectionExtensions.cs#L170-L254

Am I missing something ?

kevinchalet commented 6 years ago

Hey,

https://github.com/openiddict/openiddict-core/issues/462 should put you on the right track.

ngohungphuc commented 6 years ago

So you mean that I can only have 1 refresh_token. What if token expired again ?

kevinchalet commented 6 years ago

By default, OpenIddict will now issue a single refresh token and manage its lifetime dynamically by extending its expiration date every time it's used in a refresh token request. This refresh token is not automatically revoked and can be used until it expires.

ngohungphuc commented 6 years ago

ok so that mean i can store the refresh_token in my local storage and use it for multi refresh request right ?

kevinchalet commented 6 years ago

Yes.

ngohungphuc commented 6 years ago

Thank for your confirmation

ajithkumarrai commented 5 years ago

HI @ngohungphuc , @PinpointTownes Could you please help or share me on openiddict related sample in ASP.NET Core 2.2 as per below scenario

  1. Without EF integration 2.Openiddict refresh token generation(even i followed steps as per samples but no use at the time of token generation it is not giving refresh token) AuthorizationController.docx startup.docx
kinosang commented 5 years ago

@ajithkumarrai

For OpenIddict refresh token flow, see https://github.com/openiddict/openiddict-samples/tree/dev/samples/RefreshFlow.

Unfortunately, there's no official sample without EF integration, but there's only one real different from the samples, you should create your own models and storages, see OpenIddict.EntityFrameworkCore, OpenIddict.EntityFrameworkCore.Models, OpenIddict.MongoDb, and OpenIddict.MongoDb.Models for that.

242 and #328 may helps.

ajithkumarrai commented 5 years ago

Hi

@ajithkumarrai

For OpenIddict refresh token flow, see https://github.com/openiddict/openiddict-samples/tree/dev/samples/RefreshFlow.

Unfortunately, there's no official sample without EF integration, but there's only one real different from the samples, you should create your own models and storages, see OpenIddict.EntityFrameworkCore, OpenIddict.EntityFrameworkCore.Models, OpenIddict.MongoDb, and OpenIddict.MongoDb.Models for that.

242 and #328 may helps.

Thanks you for reply In attached files i crated sample by following https://github.com/openiddict/openiddict-samples/tree/dev/samples/RefreshFlow this link, but while generating token(in password type response) it is not giving refresh_token attribute in response.

we are using Enterprise NoSQL otherthan MongoDb and we don't want to maintain storage for refresh tokens.

Could you please check attached files (with out EF or storage i am able to generate token but in response no refresh token)

kinosang commented 5 years ago

@ajithkumarrai

but while generating token(in password type response) it is not giving refresh_token attribute in response.

offline_access scope should be add to your request for refresh_token,

ngohungphuc commented 5 years ago

@ajithkumarrai You can check my code here https://github.com/SaiGonSoftware/Awesome-CMS-Core/

ajithkumarrai commented 5 years ago

do we need to maintain refresh token in db ?

Even after following sample not getting refresh token added scope like this

ticket.SetScopes(new[] { OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.Email, OpenIdConnectConstants.Scopes.Profile, OpenIdConnectConstants.Scopes.OfflineAccess, OpenIddictConstants.Scopes.Roles }.Intersect(oidcRequest.GetScopes()));

image

ngohungphuc commented 5 years ago

@ajithkumarrai I save refresh token in localstorage but you can save to db. It's just personal preference

ajithkumarrai commented 5 years ago

It means we need to store refresh token, it will not be handled by openiddict automatically like ASOS ? we don't have sql or mongodb we are using Marklogic and also we don't want to save tokens in db could you please guide me on this.

Local storage means : client script side right ? but before only i am not getting refresh token as per above screen shot.

In this above screen when i was requesting for token(password type) i am not receiving refresh token

theVietCoder commented 5 years ago

It means we need to store refresh token, it will not be handled by openiddict automatically like ASOS ? we don't have sql or mongodb we are using Marklogic and also we don't want to save tokens in db could you please guide me on this.

Local storage means : client script side right ? but before only i am not getting refresh token as per above screen shot.

In this above screen when i was requesting for token(password type) i am not receiving refresh token @ajithkumarrai: You need to set the scope as openid offline_access in your request. Read more here: https://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-testing-your-authorization-server-with-postman/