JWT RefreshToken handling

ServiceStack Authentication
1

I use .Net Core 2.0 and ServiceStack.Core 1.044
I set the ExpireRefreshToken to 45 seconds and the ExpireToken to 10 seconds.

After sending the Authenticate request, I get the BearerToken and RefreshToken within the response object.
Also the properties bearerToken and refreshToken of the JsonServiceClient instance are correctly populated.

I created a protected Message using the Authenticate and RequiredRole Attributes. I am only able to call that method after the client is authenticated, so it looks like everything is setup correctly.

My issue is the “onAuthenticationRequired” callback of the JsonServiceClient.
I expected that after the BearerToken got expired (10 seconds), the client would try to request a new BearerToken by using the RefreshToken which is in my tests still valid.

I can’t find any documentation about how a JsonServiceClient can request a new BearerToken by using a RefreshToken.

The documentation http://docs.servicestack.net/jwt-authprovider#automatically-refreshing-access-tokens states that the client will automaticall resfresh the accessToken,
but I can’t see that behaviour, at least not with the TypeScript JsonServiceClient.

My questions are:
a) since the client has the bearerToken and refreshToken after the Authenticate request, why is it not using the refreshToken after the bearerToken expires?
I expected that the client tries to get new bearerToken until the refreshToken gets expired and only than call the onAuthenticationRequired callback.

b) What is the url/request object to issue a new bearerToken by using a refreshToken?

2

Here are the JWT tests for the TypeScript JsonServiceClient which tests getting a new AccessToken with the RefreshToken:

This test shows an example of manually assigning a new bearerToken with the onAuthenticationRequired callback.

The client calls the GetAccessToken Service to fetch a new bearerToken with the refreshToken.

3

Thank for your reponse!
I was able to fix the issue by explicit assigning the bearerToken and refreshToken to the JsonServiceClient instance. Now the bearerToken gets refreshed as expected :smile:

Now I have the next issue: When the RefreshToken gets invalid and endless loop of calls to “/json/reply/GetAccessToken” starts. I expected that the JsonServiceClient.onAuthenticationRequired callback will be called. But that didn’t happend. I created a minimal demo project which shows that behaviour (https://github.com/soernt/ServiceStackJwt).
The relevant file is
https://github.com/soernt/ServiceStackJwt/blob/master/Fbi.WebApp.Client/src/app/app.component.ts
At Line 37 I assign the onAuthenticationRequired which is not called.

Any help is much appreciated.

4

Note the onAuthenticationRequired only gets called when the JWT BearerToken expires, when the RefreshToken expires it’s meant to throw a RefreshTokenException.

I’ve resolved an issue which prevents the recursion and throws an ErrorResponse with a type of RefreshTokenException when there’s an invalid or expired RefreshToken in this commit, which you can handle with:

client.refreshToken = expiredJwtRefreshToken;

try {
    var response = await client.get(new SecureRequest());
} catch(e) {
    e.type //= RefreshTokenException
    e.responseStatus.errorCode  //= TokenException
    e.responseStatus.message    //= Token has expired
}

This fix is available from 0.0.40 of servicestack-client that’s now available on npm.

1 Like