You are currently viewing Refresh tokens with .NET 5 Web API and .NET Core Identity

Refresh tokens with .NET 5 Web API and .NET Core Identity

This blog post is continuation of my previous post. In the previous post, I tried to discuss about what is refresh token, why it is required and generally how it is implemented.

In this article, let’s try to implement a demo of refresh tokens in .NET 5 web API, which uses ASP .NET Core identity. You can download the base code from my GitHub respository. In the same solution, we will try to implement the refresh tokens.

Let’s begin !

I already have a .NET Core Web API project, which uses .NET Core Identity. On successful authentication, the Login API returns a JWT token which can be used to call the weather forecast.

The modifications can be separated into three parts. Let’s have a look at them step by step.

Data Models

The solution uses Entity Framework code first approach. We will create a new model RefreshToken, which holds information about all the refresh tokens issued by the system. We will also modify the user entity a bit, to hold the refresh tokens issued for a user. Below snippet shows both the models.

Auth Controller

In this controller, there are few changes.


The API calls GenerateTokens method, which creates access token and refresh token. The access token is returned in the result of API. The refreshToken cookie is also sent along with response, which contains the refresh token. The new generated refresh token is also saved in database.


API is also modified and it revokes the current refresh token.

Refresh Token

The API takes the incoming refresh token and if incoming token is valid, then the new refresh token cookie and access token is returned to the caller.

Revoke Token

This API would revoke the token which was sent as parameter. If there was no input parameter, then the refreshToken cookie from incoming request would be revoked.


The startup code is given below. There is minor change from our base code. Now, instead of IdentityUser, the code is now using derived class ApplicationUser class, while registering .NET Core identity.


The completed code has a JSON file, which can be imported in the Postman, that should setup Postman request collection for you. Below is the sequence that you can run :

  • Call Login API to get access token in response and refresh token in cookie
  • Set Authorization header to “Bearer {access-token}” , where {access-token} represents the access token you got as a response of Login API. After this, call weather forecast API. You should get successful response.
  • Call weather forecast API after access token is expired. This should return 401 unauthorized.
  • Now, call the RefreshToken API, no need of providing existing access token. The refreshToken cookie would automatically be sent to the API. This should return you the new access token and new refresh token.
  • You can again set the authorization header and call weather forecast API to ensure that new access token works.
  • Now, you can try calling RevokeToken API. If you do not pass anything in the body, current refresh token would be revoked. Which means if you call Refresh Token API again, you will not get new tokens as your current refresh token is revoked.
Access token and refresh token using .NET 5 Web API

I hope you liked this blog post. Let me know your thoughts.

You can view or download the completed source code from the below link.

Leave a ReplyCancel reply

This Post Has 2 Comments

  1. Julien Grossrieder

    Nice article, thank you!
    One thing I wonder:
    You directly use the DbContext in the AuthController, but shouldn’t we use the Asp.Net Core Identity’s UserManager instead? Because, now you specify at two places where your users are stored. You might ends up using another source of users, but then you have to rewrite a lot of things of your AuthController?

    1. Manoj Choudhari
      Manoj Choudhari

      Glad to know that the content was helpful !

      And to answer your question: Many other things are not considered here to keep focus on basic implementation for refresh tokens.
      I think once you know how it can be achieved, the design of AuthController and related functionality should be done based on overall design of your application. Of course, you will have to add new classes, you will have to add code for appropriate error handling and logging. Again, the purpose of this article was to demonstrate a basic implementation with minimal example, which can be referred.