IdentityServer Refresh Extension Grant

215 views Asked by At

I have implemented an extension grant in my Identity Server instance. The purpose of this is for a mobile app to switch contexts between an authenticated user and a public kiosk type device.

When the user enters this mode, I acquire a new token and include the proper grant type.

I used the IS documentation as a base. Nothing crazy going on here at all, I just add some additional claims to this token to be able to access things in the API the user may otherwise not be set up for.

public class KioskGrantValidator : IExtensionGrantValidator
{
    private readonly ITokenValidator _validator;

    public KioskGrantValidator(ITokenValidator validator)
    {
        _validator = validator;
    }

    public string GrantType => "kiosk";

    public async Task ValidateAsync(ExtensionGrantValidationContext context)
    {
        var userToken = context.Request.Raw.Get("token");

        if (string.IsNullOrEmpty(userToken))
        {
            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
            return;
        }

        var result = await _validator.ValidateAccessTokenAsync(userToken);
        if (result.IsError)
        {
            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
            return;
        }

        // get user's identity
        var sub = result.Claims.FirstOrDefault(c => c.Type == "sub").Value;


        // I add some custom claims here
        List<Claim> newClaims = new()
        {             
            new Claim(ClaimTypes.Name, "kiosk")
        }
 
        context.Result = new GrantValidationResult(sub, GrantType, claims: newClaims);
        return;
    }
}

Now, the question is refreshing this token.

For this grant to work I'm passing in the access token, which expires, eventually causing the ValidateAccessTokenAsync to fail.

Wanted to see what the best way to refresh this token is? Currently the best way I have found is to refresh the original user access token when this one is about to expire, then get a second token with the new grant. This works, but seems maybe unnecessary.

Thanks for any input!

0

There are 0 answers