TechQA.

Refresh token revocation after it was expired

666 views Asked by At

I have a problem with revocation of "refresh token" after it was expired. I have a standard table "OpenIddict Tokens" where openiddict stores tokens. In Startup class where I configure OpenIddict, I setted:

.SetRefreshTokenLifetime(TimeSpan.FromSeconds(1)) // It is just for check revocation of token

Immediately after receiving the tokens from /connect/token I try to refresh my tokens. I got "The specified refresh token is no longer valid" error and I noticed that in the database there is still a note about the expired refresh token.

Should it have stayed there or should be removed from database?

oauth asp.net-core openiddict
Original Q&A
1

There are 1 answers

2
Set On

Only access token could be refreshed using refresh token. On practice, refresh token is long-lived, as it represents the authorization granted to the client by the resource owner. And expired/blacklisted refresh token means that client access was revoked.

In other words, if the client has expired refresh token, it must do authentication again and receive a new pair of access/refresh tokens to access the resources.

Related Questions in OAUTH

Related Questions in ASP.NET-CORE

Related Questions in OPENIDDICT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions