Home » Science & Technology » Refresh Tokens - BUILD A JWT AUTHENTICATION SERVER (ASP.NET CORE) #3

Refresh Tokens - BUILD A JWT AUTHENTICATION SERVER (ASP.NET CORE) #3

Written By SingletonSean on Wednesday, Dec 23, 2020 | 08:02 PM

 
Learn how to implement refresh token support in a JWT authentication server in ASP.NET Core. Access tokens should expire in a short amount of time so that if the token is stolen, the thief has limited amount of time to access confidential information. However, this forces users to inconveniently resubmit their login credentials. To solve this, we will add refresh tokens. Refresh tokens allow clients to refresh an access token without having to resubmit their login credentials. Refresh tokens will also have a much longer expiration time. So what if the refresh token gets stolen?! No worries, refresh tokens will be stored in the database. If the refresh token does not exist in the database, then it is not valid. That said, a stolen refresh token can be invalidated by removing it from the database. So why don't we just forget about this whole refresh token thing? Can't we just give access tokens a long expiration time and store them in the database for validation? We could... except then we'd have to hit the database on EVERY request to EVERY server to make sure the access token is valid! You might also want to consider hashing refresh tokens stored in the database for extra security. In this series, I demonstrate how to build a JWT authentication server in ASP.NET Core. The server will support user registration, logging in to get a JWT access and refresh token, refreshing expired tokens, and logging out to invalidate refresh tokens. If your application needs authentication or if you're interested in microservices, this is the series for you! TIMESTAMPS: 0:00 - Introduction 0:32 - Fixing ClockSkew 1:43 - JWT Refresh Token Generation 6:50 - Refresh Route Setup 7:28 - Validating the Refresh Request 10:25 - Who is the user? How can we invalidate refresh tokens? 11:58 - Storing Refresh Tokens 14:05 - Querying Stored Refresh Tokens 15:15 - Getting the Refresh Token User 16:05 - Generating New Tokens 18:12 - Testing Refresh 18:56 - Invalidating Used Refresh Tokens 19:56 - Testing Invalidation 20:17 - Conclusion (Cliffhanger for next episode!) SOURCE CONTROL: https://github.com/SingletonSean/authentication-server SECRET KEY GENERATION: https://mkjwk.org/ JWT DEBUGGING: https://jwt.io/ GET POSTMAN: https://www.postman.com/downloads/ OTHER LINKS: Donations: https://www.paypal.com/biz/fund?id=UBZCZWX2UVWJE

Disclaimer:
All images, musics and videos copyright are belong to their respective owners. We just put embed contents from Youtube.com and do not host any content in our server. These content(s) may be protected by copyright law or other laws regarding intellectual property of the United States or other countries. Downloading file(s) on this site is just for review purpose. If you love the song, please support the artists by buying the original CD/Cassette or buying the song from iTunes.