问题
We have implemented Owin authentication in C# without refresh token, however, until recently we started facing token expiry issue on user interface, we have kept token expiry as 20 mins, now we need to get rid of this issue, so, we thought of two solution.
First solution is to add a validation before every api call whether the token is going to expire, if it is then generate a new access token using refresh token.
Second solution is to add a custom logic on client side where it will keep on monitoring the expiry of token, if it is going to expire then a new access token will be generated using an existing access token, not sure whether this is possible (Note: this is without refresh token).
I 'm posting images below, could you please let me know which architecture is correct, please let me know the do's and don'ts, also I would like to hear from you what is the correct way to store the tokens on client side.
public void Configuration(IAppBuilder app)
{
ConfigureOAuth(app);
//Rest of code is here;
}
public void ConfigureOAuth(IAppBuilder app)
{
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/api/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20),
Provider = new AuthorizationServerProvider()
};
// Token Generation
app.UseOAuthAuthorizationServer(OAuthServerOptions);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}
来源:https://stackoverflow.com/questions/61234947/c-sharp-owin-authentication-best-practice