This blog post is continuation of my previous post. In the previous post, I tried to discuss about what is refresh token, why it is required and generally how it is implemented.

In this article, let’s try to implement a demo of refresh tokens in .NET 5 web API, which uses ASP .NET Core identity. You can download the base code from my GitHub respository. In the same solution, we will try to implement the refresh tokens.

Let’s begin !

I already have a .NET Core Web API project, which uses .NET Core Identity. On successful authentication, the Login API returns a JWT token which can be used to call the weather forecast.

The modifications can be separated into three parts. Let’s have a look at them step by step.

Data Models

The solution uses Entity Framework code first approach. We will create a new model RefreshToken, which holds information about all the refresh tokens issued by the system. We will also modify the user entity a bit, to hold the refresh tokens issued for a user. Below snippet shows both the models.

Auth Controller

In this controller, there are few changes.

Login

The API calls GenerateTokens method, which creates access token and refresh token. The access token is returned in the result of API. The refreshToken cookie is also sent along with response, which contains the refresh token. The new generated refresh token is also saved in database.

Logout

API is also modified and it revokes the current refresh token.

Refresh Token

The API takes the incoming refresh token and if incoming token is valid, then the new refresh token cookie and access token is returned to the caller.

Revoke Token

This API would revoke the token which was sent as parameter. If there was no input parameter, then the refreshToken cookie from incoming request would be revoked.

Startup

The startup code is given below. There is minor change from our base code. Now, instead of IdentityUser, the code is now using derived class ApplicationUser class, while registering .NET Core identity.

Verification

The completed code has a JSON file, which can be imported in the Postman, that should setup Postman request collection for you. Below is the sequence that you can run :

• Call Login API to get access token in response and refresh token in cookie
• Set Authorization header to “Bearer {access-token}” , where {access-token} represents the access token you got as a response of Login API. After this, call weather forecast API. You should get successful response.
• Call weather forecast API after access token is expired. This should return 401 unauthorized.
• Now, call the RefreshToken API, no need of providing existing access token. The refreshToken cookie would automatically be sent to the API. This should return you the new access token and new refresh token.
• You can again set the authorization header and call weather forecast API to ensure that new access token works.
• Now, you can try calling RevokeToken API. If you do not pass anything in the body, current refresh token would be revoked. Which means if you call Refresh Token API again, you will not get new tokens as your current refresh token is revoked.

I hope you liked this blog post. Let me know your thoughts.

You can view or download the completed source code from the below link.