0

I've followed Quickstart Hybrid Flow here but I need some help and advices about saving tokens after using refresh token.

If I say true, the option SaveTokens allows to save tokens in cookies.

Firstly, is it a good idea to store access and refresh tokens in a cookie (concerns about security) ?

Other question, I retrieve correctly refresh token via the code var refreshToken = await HttpContext.GetTokenAsync("refresh_token"); but now, when I get the new access token, how can I store it (no SetTokenAsync method) ?... because without that, I retrieve the old acces token when I call var refreshToken = await HttpContext.GetTokenAsync("access_token"); whereas I would like get the new.

Thanks

user3656665
  • 117
  • 1
  • 6
  • 1
    Take a look at the information from my answer [here](https://stackoverflow.com/questions/54498454/still-logged-in-mvc-site-but-cant-call-web-api/54507122#54507122). –  Oct 17 '19 at 14:52
  • Thanks, it helps me for saving tokens (access & refresh) after using refresh token. Have you an opinion about saving them in cookies (secure or not)... is it useful to use PKCE in this flow ? – user3656665 Oct 18 '19 at 07:26

1 Answers1

3

From the documentation:

Interactive clients should use an authorization code-based flow. To protect against code substitution, either hybrid flow or PKCE should be used.

Thus the combination of PKCE and hybrid flow is not necessary and probably not useful.

If PKCE is available, this is the simpler solution to the problem.

PKCE is already the official recommendation for native applications and SPAs - and with the release of ASP.NET Core 3 also by default supported in the OpenID Connect handler as well.

So instead of using the hybrid flow, configure it as interactive ASP.NET Core MVC client.

new Client
{
    ClientId = "mvc",
    ClientSecrets = { new Secret("secret".Sha256()) },

    AllowedGrantTypes = GrantTypes.Code,
    RequireConsent = false,
    RequirePkce = true,

    // where to redirect to after login
    RedirectUris = { "http://localhost:5002/signin-oidc" },

    // where to redirect to after logout
    PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },

    AllowedScopes = new List<string>
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile
    }
}

Where the mvc client has the expected configuration:

.AddOpenIdConnect("oidc", options =>
{
    options.Authority = "http://localhost:5000";
    options.RequireHttpsMetadata = false;

    options.ClientId = "mvc";
    options.ClientSecret = "secret";
    options.ResponseType = "code";

    options.SaveTokens = true;
});

I can also recommend this post from Brock Allen. This may answer your question about cookies. You can also check the post of Dominick Baier.

For information on how to use the refresh token please read my answer here.