Ok, I am failing to get IS4 to issue a refresh token during authorization_code flow, even though I (believe) turned it on, and the client is requesting it by including offline_access
in the scope. I add the IS4 using:
services.AddIdentityServer()
.AddInMemoryClients(Config.Clients)
.AddPersistedGrantStore<PersistedGrantStore>()
.AddInMemoryIdentityResources(Config.IdentityResources)
.AddSigningCredential(loadedX509pfx);
// identity resources from another file:
public static IEnumerable<IdentityResource> IdentityResources =>
new IdentityResource[]
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
};
Client is defined as (I included everything except URLs for brevity):
ClientId = "MyClientBlahBlah",
ClientSecrets = new List<Secret> { new("secretXX".Sha256()) },
RequireClientSecret = false,
RequireConsent = false,
AllowedGrantTypes = GrantTypes.Code,
AccessTokenType = AccessTokenType.Jwt,
AccessTokenLifetime = (int)TimeSpan.FromDays(7).TotalSeconds,
IdentityTokenLifetime = (int)TimeSpan.FromDays(7).TotalSeconds,
AbsoluteRefreshTokenLifetime = (int)TimeSpan.FromDays(30).TotalSeconds,
SlidingRefreshTokenLifetime = (int)TimeSpan.FromDays(15).TotalSeconds,
UpdateAccessTokenClaimsOnRefresh = true,
AllowOfflineAccess = true,
RefreshTokenExpiration = TokenExpiration.Sliding,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
AlwaysSendClientClaims = true,
Enabled = true,
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.OfflineAccess
},
RequirePkce = false,
...
However, when the request comes via this request:
GET /connect/authorize?client_id=MyClientBlahBlah&response_type=code&scope=openid%20profile%20offline_access&redirect_uri=<targeturl>
and the user logs in, the redirect URL is called only with authorization code:
There is no mention of refresh token anywhere. When I check the grant persistence store, the record was created (though its set to expire in 5 mins), however, again, the Data
JSON in the record of store does not contain any mention of the refresh and there is no additional record being created for the subject.
{
"CreationTime" : "2022-03-28T15:56:26Z",
"Lifetime" : 300,
"ClientId" : "MyClientBlahBlah",
"Subject" : {...} <full json of claims, which is ok>
"IsOpenId" : true,
"RequestedScopes" : [
"0" : "opened",
"1" : "profile",
"2" : "offline_access"
],
"RedirectUri" : "targetURL",
"Nonce" : null,
"StateHash" : "d8EeV5-CyXT_-vbd8gRcRA",
"WasConsentShown" :false,
"SessionId" : "8DBD74DF791AD6C04FCCB78A3CF57C6E",
"CodeChallenge" : "",
"CodeChallengeMethod" : null,
"Description" : null,
"Properties" : { }
}
What am I doing wrong or what have I forgotten to include? I can't seem to find any help with documentation, most people have this problem when they forget to include offline_access
in scope
, which is not the case here.
The tokens (ID/Access/Refresh) are not meant be included in this request:
GET /connect/authorize?client_id=MyClientBlahBlah&response_type=code&scope=openid%20profile%20offline_access&redirect_uri=<targeturl>
Instead the OpenIDConnect handler in ASP.NET Core will after receiving the authorization code, ask for the tokens in a separate request between ASP.NET Core and IdentityServer. A request not visible to the user/browser.
Using the code below you can check what tokens that you actually have received:
string accessToken = await HttpContext.GetTokenAsync("access_token");
string idToken = await HttpContext.GetTokenAsync("id_token");
string refreshToken = await HttpContext.GetTokenAsync("refresh_token");
string tokenType = await HttpContext.GetTokenAsync("token_type");
string accessTokenExpire = await HttpContext.GetTokenAsync("expires_at");