https://github.com/okta/okta-aspnet/issues/130
User story
As a website developer, I would like the Okta ASP.net SDK to support the flow of exchanging a refresh token for a new access token.
Our use-case is a feature that we call “keep me logged in” where our customers can continue to access authenticated, but non-sensitive resources when they return to the site for weeks or months (similar to Amazon and Facebook). Accessing sensitive resources, like personal information, will be handled by the application and will challenge the user to reauthenticate.
Proposed solution
The application developer will store the user’s refresh and id token somewhere, perhaps a cookie, and trigger a OIDC challenge containing these as authentication properties. The Okta SDK middleware would then issue a call to the /token (instead of the /authorize) endpoint to request a new access token. If successful, the middle ware will set the user to authenticated and continue.
Alternatives considered
An alternative is to add an entirely separate layer to the request pipeline that does all of this work and bipasses the OIDC authentication layer.
Additional information
We are using classic ASP.net MVC with Owin. Core is not an option because our CMS doesn’t currently support it.