I have a web api that uses OWIN Authentication in my ASP.NET WebAPI and I need to implement refresh token.
When users login, API sends a Access_Token, Expiry_Date(3 mins) and Refresh_token to client.
Then the tokens are saved in the client localStorage.
I know that the use of refresh_token is to get new access_token if the access_token is expired.
Now my problem is When to do this?
Do i need to check if the client still has a valid/un-expired access_token EVERY TIME i request for a data in the Web API? And if the access_token is expired, i need to request a new access_token right?
For example:
api/orders (Web API).access_token he uses is expired base on the Expiry_Date that was saved in the localStorage.access_token using refresh_token and then request the api/orders again. Basically doing THREE requests simultaneously? Seems to me a bit in efficient.Or get the user to login again? I mean every 3 minutes the user needs to login? Which defeats the purpose of this.
Any idea how to handle it?
In this sample ajax request below, can someone have idea handle this?
$.ajax({
type: 'GET',
url: WEB_API_URL,
data: data,
dataType: 'json',
beforeSend: function(xhr) {
// need to check if the accessToken is expired
xhr.setRequestHeader("Authorization", "Bearer " + accessToken);
},
}).
You should first get the tokens from your datastore. Check if they are valid for the next few seconds also. You don't want to run into a failed authorization because your request is delayed by something.
If the token is going to expire soon, use your refresh token to get new access token.
Then send your request to the Web Api.
In short;
1. Get token from datastore.
2. Check if token is valid.
3. If not valid, get new token.
4. Send request to Web Api.
I have no experience with Ajax, but with this flow you should be able to handle your request with a maximum of 2 request to your api.