But where are they stored?
By default, they are stored nowhere: they are self-contained. As long as the encryption keys used to protect the refresh tokens are still in the ASP.NET Data Protection key ring, they can be decrypted by ASOS and used to issue new access tokens.
How can I change expiration date of the token?
The default expiration date can be set globally from the options, using the RefreshTokenLifetime
property. If you don't provide your own lifetime, they are valid for 14 days.
Note that sliding expiration is also enabled by default, which means you get a new refresh token (valid for 14 days) each time you make a new grant_type=refresh_token
request. You can disable sliding expiration by setting UseSlidingExpiration
to false
.
... or delete it?
Since refresh tokens are self-contained, you can't delete them. You could of course consider using custom tokens (like unique strings corresponding to an entry in a database) by overriding the SerializeRefreshToken
and DeserializeRefreshToken
events, but the recommended approach is to simply treat them as invalid when receiving a refresh token request.
For that, you can override the HandleTokenRequest
event and call context.Reject()
if you consider that a refresh_token
was revoked and cannot be used to issue new tokens.
How can I determine for which user refresh token is created?
Refresh tokens contain all the claims you add when creating the original authentication ticket, so if you add a sub
claim corresponding to the user identifier, you can use it to retrieve the user profile from the database.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…