Okta ASP.net SDK Support for Refresh Tokens


User story

As a website developer, I would like the Okta ASP.net SDK to support the flow of exchanging a refresh token for a new access token.

Our use-case is a feature that we call “keep me logged in” where our customers can continue to access authenticated, but non-sensitive resources when they return to the site for weeks or months (similar to Amazon and Facebook). Accessing sensitive resources, like personal information, will be handled by the application and will challenge the user to reauthenticate.

Proposed solution

The application developer will store the user’s refresh and id token somewhere, perhaps a cookie, and trigger a OIDC challenge containing these as authentication properties. The Okta SDK middleware would then issue a call to the /token (instead of the /authorize) endpoint to request a new access token. If successful, the middle ware will set the user to authenticated and continue.

Alternatives considered

An alternative is to add an entirely separate layer to the request pipeline that does all of this work and bipasses the OIDC authentication layer.

Additional information

We are using classic ASP.net MVC with Owin. Core is not an option because our CMS doesn’t currently support it.

I can recommend also to try to search for MS related documentation, as Okta’s SDK only implements a driver for MS authentication model

1 Like

Yes, agreed. I have studied the Okta ASP.net SDK and the underlying MS OIDC Owin/Katana libraries. They support retrieving the refresh token, but I have not found any support for using the refresh token.

I posted a related question on StackOverflow.

How does a client using Owin/Katana/OIDC use a Refresh Token?