Before v4.0.62 of Servicestack there was no JWT Auth Providers out of the box, so we have implemented our custom solution based on this. We use it for mobile applications authentication.
We extended this example by using refresh tokens. Refresh tokens are saved by us in the storage and during invoking renew token request it it get from there and the new token is generated.
We would like to leave our custom solution to use Servicestack components (especially becasue standard user / password authentication is used in parallel for web).
My first idea for that is to override API Key Provider and add storing the keys in storage. Then override JWTAuthProvider and add there this custom API Key Provider to generate refresh token.
Client would firstly authenticate using login / password (and the session would be established) then he would use the token until it would expire.
After that he can use refresh token generated by API Key Provider to regenerate token and create new JWTAuthProvider session.
As you can see there is still lot custom work to do and before we start doing it I`d like to make sure if it is doable and it would not bring some other problems. @mythz What is your opinion about it?
Do you plan to provide similar refresh token solutions in the next versions of Servicestack?