[HttpPost("refresh-token")] public async Task<ActionResult<string>> RefreshToken() { var refreshToken = Request.Cookies["refreshToken"]; if (!user.RefreshToken.Equals(refreshToken)) { return Unauthorized("Invalid Refresh Token."); } else if(user.TokenExpires < DateTime.Now) { return Unauthorized("Token expired."); } string token = CreateToken(user); var newRefreshToken = GenerateRefreshToken(); SetRefreshToken(newRefreshToken); return Ok(token); } private RefreshToken GenerateRefreshToken() { var refreshToken = new RefreshToken { Token = Convert.ToBase64String(RandomNumberGenerator.GetBytes(64)), Expires = DateTime.Now.AddDays(7), Created = DateTime.Now }; return refreshToken; } private void SetRefreshToken(RefreshToken newRefreshToken) { var cookieOptions = new CookieOptions { HttpOnly = true, Expires = newRefreshToken.Expires }; Response.Cookies.Append("refreshToken", newRefreshToken.Token, cookieOptions); user.RefreshToken = newRefreshToken.Token; user.TokenCreated = newRefreshToken.Created; user.TokenExpires = newRefreshToken.Expires; }
References
https://www.youtube.com/watch?v=HGIdAn2h8BA
https://www.youtube.com/watch?v=LowJMwa7LCU
https://passage.id/post/how-refresh-tokens-work-a-complete-guide-for-beginners?utm_source=pocket_reader
https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/?utm_source=pocket_reader