Closed
Description
Important
This must be implemented with using the feature/46-integrate-identity as a feature branch. You will branch from it and when ready simply make a PR back to the feature/46-integrate-identity
Goal
We want to allow clients of the API to be able to use Refresh tokens to renew their JWT tokens without the need to send their credentials again
Scope
- Add refresh token endpoint
- Add revoke token endpoint
out-of-scope - Modify authorization logic to return 401 with token_expired error as (if) required - (according to the spec rfc6750 - "The OAuth 2.0 Authorization Framework: Bearer Token Usage", https://www.rfc-editor.org/rfc/rfc6750, p.8, section 3.1, resource server should return 401)
- Update config values as required e.g. add refresh token lifetime value
Acceptance Criteria
- Users with valid, but expired JWT token can make a call to the refresh endpoint and receive a new token
- Anonymous users cannot access the refresh token endpoint
- Refresh tokens renew JWT token only of the JWT token is valid and the Refresh token is valid and they belong to the same user
- Refresh tokens can only be used once
- Users with expired tokens receive 401 error with token expired error
- Revoke token endpoint invalidates the refresh token
- Refresh request with revokend refresh token returns an error
- Users can have no more than one refresh token at a time
Deliverables
- Working endpoints
- Tests
Proposed Solution
- Check the https://github.com/dotnet/aspnetcore/blob/main/src/Identity/Core/src/IdentityApiEndpointRouteBuilderExtensions.cs#L122 and review the implementation. We don't use the SignInManager but have access to the UserStore and UserManager, so we should be able to have the same logic
- Latest version FastEndpoints has a new feature to support token revocation and refresh token - https://fast-endpoints.com/docs/security#jwt-token-revocation. Might be helpful - https://github.com/FastEndpoints/Refresh-Tokens-Demo
Metadata
Metadata
Assignees
Labels
No labels