There is a lot of information regarding the use of Refresh tokens with several different back-ends, including ASP.NET Core (which we’re using). However, I am currently working on an MVC app, and I want to make sure that users who log in, actually stay logged in forever (across browser sessions), but I obviously do want to support the revocation of their token under certain conditions (such as a password change).
Since I’m using basic MVC, no front-end app framework, nearly every user interaction results in a page navigation.
I am struggling to figure out how & when to handle with keeping the access token up to date in this type of application where there is almost no application state on the client side.
Willing to provide more context if needed, since I’m left scratching my head but I really want to use Auth0 for our authentication.
You should request a new access token when the existing access token expires. A refresh token allows the user to stay “logged in” perpetually (unless revoked), and regularly requesting fresh access tokens means the user’s info/permissions/roles are up to date.
Perhaps my original question was not phrased accurately, or i am missing an important concept here.
How can i request a new fresh access token before the current one expires in a traditional MVC app? Since there is no client framework to speak off… I really cant get my head around it. Every user interaction is basically a page navigation, so what if a page navigation suddenly occurs with an expired token?
You could check if a token is expired with the exp claim before sending it, or build your error handling to request a new one if an expired token error is returned.