We recently merged OAuth2 code flow and refresh token support into the main branch on Github. Please give it a try and tell us if it is working for you or not. After that feedback phase I will release v2.2 (maybe in two weeks).
The OAuth2 client configuration page has two new options now: one for enabling code flow, and one for allowing refresh tokens for that client:
Remember you should always select only one flow type per client – rather create multiple clients for each flow you want to support (see my next post on OAuth2 vulnerabilities for more details).
Also note the tokens link at the bottom which brings you to the refresh token search page where you can (based on different search criteria) view and delete refresh tokens:
We also changed the consent screen when refresh tokens are enabled for the client:
From a code point of you, we use the (or rather a) standard OAuth2 query string syntax and you can use the OAuth2Client class from Thinktecture.IdentityModel as a convenience, e.g:
var url = OAuth2Client.CreateCodeFlowUrl(
“https://idsrv.local/issue/oauth2/authorize “,
“codeflowclient”,
Constants.Scope,
“https://localhost:44303/callback “);
Which results in the following URL:
https://idsrv.local/issue/oauth2/authorize?
client_id=codeflowclient&
scope=urn:webapisecurity&
redirect_uri=https://localhost:44303/callback&
response_type=code
After IdentityServer sends back the code – you can again use OAuth2Client to request the token:
var client = new OAuth2Client(
new Uri("https://idsrv.local/issue/oauth2/token"),
"codeflowclient",
"secret");
var response = client.RequestAccessTokenCode(code);
If refresh tokens are enabled, you can request a fresh token like this:
var client = new OAuth2Client(
new Uri("https://idsrv.local/issue/oauth2/token"),
"codeflowclient",
"secret");
var response = client.RequestAccessTokenRefreshToken(refreshToken);
The full sample can be found here.
Filed under: ASP.NET, IdentityModel, IdentityServer, OAuth, WebAPI
