ASP.NET and JWT Refresh Tokens

preview_player
Показать описание
Your JSON Web Token has expired. Do you have t go to the effort of entering your name and password again? Not if you have a refresh token.

Topics include:
- Trading off security and convenience
- Synchronizing servers with ClockSkew
- Distinguishing the authentication server and the data server
- Storing refresh tokens on the database
- Returning a new JWT in exchange for and expired JWT and a refresh token
- Revoking a refresh token
Рекомендации по теме
Комментарии
Автор

Do you use refresh tokens or just stick with JWTs? Let me know in the comments.
And if you liked the video, click the 👍.

CodingTutorialsAreGo
Автор

Spent ages trying to find a decent video and glad I bumped into this one have subbed to your channel as well keep up the good work!

TrevorWinns
Автор

Great video!, maybe it's the only one that uses Logging, which I think is very important. Thanks a lot.

marceloleoncaceres
Автор

High quality content, as usual. Very appreciated! Many thanks.

georgehomorozeanu
Автор

Thankyou for the tutorial! This is really useful for me

exus
Автор

your videos are amazing, yet another time only after watching your video I truly get an understanding of how sth works

tobiaszwojnar
Автор

Great content! Thanks for sharing this awesome tutorial!

alisonhj
Автор

Hi Jasper, again thanks for a high quality content video!!

I wonder, having the Clockskew within the gap of the Tiemespan defined in the validation parameters.

Wouldn’t it be appropriate to make the refresh token endpoint protected with Authorize attribute and documenting that the refresh token endpoint must be called within X seconds/minutes of time span in order to generate a new JWT?

So, instead of creating a logic for adding a column or attribute for Refresh Token in Users table, the clockskew is the key for refreshing a new JWT, thus the Authorize data annotation will do the work to validate the token.

Thanks again for your videos, they are very helpful 💯

diegomelgar
Автор

I can't say thank you enough. You literally saved me. Thank you very much sir. I tried to watch so many tutorial but failed because they are not beginner friendly. But you explain everything from fundamental level so anyone could understand it.
I have a one question. Why did you choses to use Authentication Handler instead of updating the Authentication State provider and using it for accessing the login state.

Lashib
Автор

What a gentleman! Thank you for this beautiful video. Not only are your clothes beautiful, but your diction is also amazing!

pemifo
Автор

Just a question, what if same user logged in two different devices?
For example, a user logs in first device; it will update the RefreshToken column for that user in AspNetUsers table. On device 2 login, it will update the existing RefreshToken column value(it will replace the device 1 refresh token with device 2 refresh token) .So for device 1, how will refresh token work?

Rommy-gqpv
Автор

I have a question. When I have a MAUI app as the client, for example, what is the best practice for the refresh flow to maintain a high user experience? Because when the access token is invalid, it would take six calls until I have the data if the token needs to be refreshed. So, should the token be refreshed in the background if it’s expired to maintain a high UX? Regards

johannes
Автор

Just a question.

when we are calling refresh endpoint, did we need to update the expiry time of the refresh token?

jacksonjohn
Автор

Thank you for the fruitful tutorial but i have one question why i need to pass the expired access token and active refresh token to the refresh endpoint so why i just send the active refresh token and then i check the users table for the passed refresh token and also check for expiration?

wissambishouty
Автор

awesome, thanks for this great video <3

sadafziya