JWT RefreshToken handling

I use .Net Core 2.0 and ServiceStack.Core 1.044
I set the ExpireRefreshToken to 45 seconds and the ExpireToken to 10 seconds.

After sending the Authenticate request, I get the BearerToken and RefreshToken within the response object.
Also the properties bearerToken and refreshToken of the JsonServiceClient instance are correctly populated.

I created a protected Message using the Authenticate and RequiredRole Attributes. I am only able to call that method after the client is authenticated, so it looks like everything is setup correctly.

My issue is the “onAuthenticationRequired” callback of the JsonServiceClient.
I expected that after the BearerToken got expired (10 seconds), the client would try to request a new BearerToken by using the RefreshToken which is in my tests still valid.

I can’t find any documentation about how a JsonServiceClient can request a new BearerToken by using a RefreshToken.

The documentation http://docs.servicestack.net/jwt-authprovider#automatically-refreshing-access-tokens states that the client will automaticall resfresh the accessToken,
but I can’t see that behaviour, at least not with the TypeScript JsonServiceClient.

My questions are:
a) since the client has the bearerToken and refreshToken after the Authenticate request, why is it not using the refreshToken after the bearerToken expires?
I expected that the client tries to get new bearerToken until the refreshToken gets expired and only than call the onAuthenticationRequired callback.

b) What is the url/request object to issue a new bearerToken by using a refreshToken?

Here are the JWT tests for the TypeScript JsonServiceClient which tests getting a new AccessToken with the RefreshToken:

This test shows an example of manually assigning a new bearerToken with the onAuthenticationRequired callback.

The client calls the GetAccessToken Service to fetch a new bearerToken with the refreshToken.

Thank for your reponse!
I was able to fix the issue by explicit assigning the bearerToken and refreshToken to the JsonServiceClient instance. Now the bearerToken gets refreshed as expected :smile:

Now I have the next issue: When the RefreshToken gets invalid and endless loop of calls to “/json/reply/GetAccessToken” starts. I expected that the JsonServiceClient.onAuthenticationRequired callback will be called. But that didn’t happend. I created a minimal demo project which shows that behaviour (https://github.com/soernt/ServiceStackJwt).
The relevant file is
At Line 37 I assign the onAuthenticationRequired which is not called.

Any help is much appreciated.

Note the onAuthenticationRequired only gets called when the JWT BearerToken expires, when the RefreshToken expires it’s meant to throw a RefreshTokenException.

I’ve resolved an issue which prevents the recursion and throws an ErrorResponse with a type of RefreshTokenException when there’s an invalid or expired RefreshToken in this commit, which you can handle with:

client.refreshToken = expiredJwtRefreshToken;

try {
    var response = await client.get(new SecureRequest());
} catch(e) {
    e.type //= RefreshTokenException
    e.responseStatus.errorCode  //= TokenException
    e.responseStatus.message    //= Token has expired

This fix is available from 0.0.40 of servicestack-client that’s now available on npm.

1 Like