问题
From the source code sandbox Webserver, refresh tokens was done like this:
RefreshTokenProvider = new AuthenticationTokenProvider
{
OnCreate = CreateRefreshToken,
OnReceive = ReceiveRefreshToken,
}
private void CreateRefreshToken(AuthenticationTokenCreateContext context)
{
context.SetToken(context.SerializeTicket());
}
private void ReceiveRefreshToken(AuthenticationTokenReceiveContext context)
{
context.DeserializeTicket(context.Token);
}
This create refresh tokens that have the same lifetime as the access tokens.
What would be appropriate lifetime for a refresh token and what would be the suggested way of telling that to the OAuthAuthorizationServer. Theres no options for it, and I am wondering if I should just change it on the ticket in the context of above createRefreshToken.
回答1:
What would be appropriate lifetime for a refresh token
Its all dependent on use-case. RefreshToken lifetime can be based on the application requirement. Google oAuth has "Refresh tokens are valid until the user revokes access".
what would be the suggested way of telling that to the OAuthAuthorizationServer.
Yes, you are right for the approach. you can set it to Tiken in the context.
private void CreateRefreshToken(AuthenticationTokenCreateContext context)
{
context.Ticket.Properties.ExpiresUtc = new DateTimeOffset(DateTime.Now.AddMonths(2));
context.SetToken(context.SerializeTicket());
}
来源:https://stackoverflow.com/questions/19409085/lifetime-of-refresh-tokens-with-katana-oauthauthorizationserver