Search code examples
oauthowinkatana

How to do long lived tokens with Katana OAuth Bearer Tokens

From the SPA template i managed to get basic OAuth flows working.

    OAuthOptions = new OAuthAuthorizationServerOptions
    {
        AllowInsecureHttp = true, 
        ApplicationCanDisplayErrors = true,
        TokenEndpointPath = new Microsoft.Owin.PathString("/Token"),
        AuthorizeEndpointPath = new Microsoft.Owin.PathString("/api/Account/ExternalLogin"),
        Provider = new CompositeWebroleOauthProvider<User>(PublicClientId, IdentityManagerFactory, CookieOptions)
    };

I have a single page application that is hosted on a seperate domain that will interact with the webapi using the bearer tokens from the Token endpoint.

I am doing the ResourceOwnerCredentials flow, with a request with the following data:

 data: {
        grant_type: "password",
        username: username,
        password: password
       }

These tokens are short lived ect. I now would like to extend my application such I can get a refress token or something such I do not have to authenticate all the time. What is my next steps?

The GrantResourceOwnerCredentials implementation:

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
    using (var identityManager = _identityManagerFactory.Create())
    {
        var user = await identityManager.FindAsync(context.UserName, context.Password);

        if (user == null)
        {
            context.SetError("invalid_grant", "The user name or password is incorrect.");
            return;
        }               

        ClaimsIdentity oAuthIdentity = await identityManager.CreateIdentityAsync(user, context.Options.AuthenticationType);
        AuthenticationProperties properties = CreatePropertiesAsync(user);
        AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
        context.Validated(ticket);

    }
}
Solution

  • I just had to set the provider for it to generate refresh tokens.

    Any comments for pointers on when to set refresh tokens and not would be nice. 

     RefreshTokenProvider = new AuthenticationTokenProvider
 {
     OnCreate = CreateRefreshToken,
     OnReceive = ReceiveRefreshToken,
 }


    private void CreateRefreshToken(AuthenticationTokenCreateContext context)
    {
        context.SetToken(context.SerializeTicket());
    }

    private void ReceiveRefreshToken(AuthenticationTokenReceiveContext context)
    {
        context.DeserializeTicket(context.Token);
    }