ASP.NET Core Access Token Expiration

Following the ASP.NET Core quick start, it shows how to request an access token to call an API. It then shows how to access the token, and check the expiration date of that token, demonstrated below.

What it does not show however-- what do you do if the token is expired? Should I create a new Authentication Client and request a new one from the refresh token? Or is there a different flow I should follow. This should be explained in this code snippet.

// Inside one of your controller actions

if (User.Identity.IsAuthenticated)
{
string accessToken = await HttpContext.GetTokenAsync(“access_token”);

// if you need to check the Access Token expiration time, use this value
// provided on the authorization response and stored.
// do not attempt to inspect/decode the access token
DateTime accessTokenExpiresAt = DateTime.Parse(
    await HttpContext.GetTokenAsync("expires_at"), 
    CultureInfo.InvariantCulture,
    DateTimeStyles.RoundtripKind);
    
string idToken = await HttpContext.GetTokenAsync("id_token");

// Now you can use them. For more info on when and how to use the
// Access Token and ID Token, see https://auth0.com/docs/tokens

}

Hey @rev23dev!

Thanks for providing that feedback, I’ll make sure to relay that feedback to appropriate team!

Yep you guessed it correctly when your tokens expire you need to make use of refresh tokens. Here is some guidance for that:

Thanks @konrad.sopala, but do I then replace the token in the httpcontext? Can that even be done manually? There is definitely no “settoken” method. This is where things all fell apart for me :wink: Having this documented here is definitely necessary I think. Thanks!

2 Likes