What is Refresh Token and How it works? C# .NET Web API

Автор: parvesh

Загружено: 2025-06-28

Просмотров: 492

Описание:

Timestamps :

00:00 - Intro - What is refresh token?
00:17 - Recap - What we had done till now.
01:26 - How refresh token works?
03:02 - Implementing refresh token in C# based web application
04:50 - Generating a refresh token
06:06 - Saving generated token in in-memory static variable
08:48 - Writing logic to refresh access token
13:07 - Adding new endpoint to allow user to refresh token
15:11 - Running multiple project from a solution in visual studio
15:56 - Testing application in postman
18:23 - Outro

A refresh token is a key concept in JWT (JSON Web Token)-based authentication systems, particularly when you're trying to implement secure, stateless, and scalable user sessions.

---

🧠 What Is a Refresh Token?

A refresh token is a long-lived token used to obtain a new access token after the original (short-lived) access token has expired — without asking the user to log in again.

---

🔄 How It Works (Step-by-Step)

Let’s break it down:

🔐 1. User Logs In

The user provides credentials (username/password).
The server validates them and responds with:

Access Token (short lifespan, e.g., 15 minutes)
Refresh Token (long lifespan, e.g., 7–30 days)

⏳ 2. User Accesses Protected Resources

The user includes the access token in request headers (e.g., `Authorization: Bearer token`).
The server verifies it and allows or denies access.

💥 3. Access Token Expires

After a short time, the access token becomes invalid (security feature).
Rather than logging in again, the client uses the refresh token.

🔄 4. Client Requests a New Access Token

The client sends the refresh token to a special endpoint (e.g., `/auth/refresh`).
The server:

Validates the refresh token
Issues a new access token
Optionally, issues a new refresh token (token rotation)

❌ 5. Refresh Token Expiry or Invalidity

If the refresh token is expired, revoked, or tampered, the user is forced to log in again.

---

🧩 Access vs Refresh Token

| Feature | Access Token | Refresh Token |
| ------------- | ------------------------ | -------------------------------- |
| Lifespan | Short (minutes) | Long (days/weeks) |
| Stored In | Usually browser memory | HTTP-only cookies / secure store |
| Use Case | Access APIs | Get new access token |
| Security Risk | Higher (frequently used) | Lower (used less, stored safely) |
| Transport | Sent with most requests | Sent only when refreshing token |

---

🛡️ Best Practices

1. Store refresh token securely (e.g., HTTP-only cookie or secure storage).
2. Don’t expose it in frontend JavaScript.
3. Use HTTPS to prevent token interception.
4. Implement token rotation to prevent reuse.
5. Invalidate tokens on logout or suspicious activity.

---

🔁 Token Rotation (Optional but recommended)

Instead of using the same refresh token every time, the server issues a new refresh token each time the old one is used. This helps prevent replay attacks.

---

⚠️ Real-World Security Consideration

Access tokens are often stored in memory or localStorage (prone to XSS).
Refresh tokens should be stored in HTTP-only cookies to prevent client-side access.
Combine with CORS, CSRF protection, and token blacklisting for full security.

---

Let me know if you have any questions related to this video?

What is Refresh Token and How it works? C# .NET Web API

Доступные форматы для скачивания:

Скачать видео mp4

Информация по загрузке:

Скачать аудио mp3

Похожие видео

Master Refresh Tokens in ASP.NET Core (building from scratch)

Master Refresh Tokens in ASP.NET Core (building from scratch)

What are Refresh Tokens?! and...How to Use Them Securely

What are Refresh Tokens?! and...How to Use Them Securely

Refer(r)er Policy - Don't leak sensitive information in your HTTP headers

Refer(r)er Policy - Don't leak sensitive information in your HTTP headers

Session против JWT: различия, о которых вы могли не знать!

Session против JWT: различия, о которых вы могли не знать!

Spring Boot Security — подробное объяснение токена обновления JWT | JavaTechie

Spring Boot Security — подробное объяснение токена обновления JWT | JavaTechie

.NET Web API Complete Crash Course 2026 | Build REST APIs from Scratch using C# and Dapper

.NET Web API Complete Crash Course 2026 | Build REST APIs from Scratch using C# and Dapper

JWT Authentication with .NET 9 🚀 Full Course with Roles, JSON Web Tokens & Refresh Tokens

JWT Authentication with .NET 9 🚀 Full Course with Roles, JSON Web Tokens & Refresh Tokens

JWT Refresh Token with Asp.net Web API 8 and C#

JWT Refresh Token with Asp.net Web API 8 and C#

Why HttpOnly Cookies Are SAFER Than Local Storage! | Using HttpOnly Cookie With JWT .Net 6 API

Why HttpOnly Cookies Are SAFER Than Local Storage! | Using HttpOnly Cookie With JWT .Net 6 API

Сисадмины больше не нужны? Gemini настраивает Linux сервер и устанавливает cтек N8N. ЭТО ЗАКОННО?

Сисадмины больше не нужны? Gemini настраивает Linux сервер и устанавливает cтек N8N. ЭТО ЗАКОННО?

ДАМПЫ В JAVA на практике, разбираем проблемы

ДАМПЫ В JAVA на практике, разбираем проблемы

Трамп опять презирает Зеленского?

Трамп опять презирает Зеленского?

Authentication Explained: When to Use Basic, Bearer, OAuth2, JWT & SSO

Authentication Explained: When to Use Basic, Bearer, OAuth2, JWT & SSO

JWT Authentication in .NET 9 Web API | Access & Refresh Tokens | Complete API Testing using Postman

JWT Authentication in .NET 9 Web API | Access & Refresh Tokens | Complete API Testing using Postman

How Refresh Tokens MAXIMIZE Your JWTs Security! | Using Refresh Tokens & JWTs With A .NET API

How Refresh Tokens MAXIMIZE Your JWTs Security! | Using Refresh Tokens & JWTs With A .NET API

Kubernetes — Простым Языком на Понятном Примере

Kubernetes — Простым Языком на Понятном Примере

Как победить отказы в распределенных системах?

Как победить отказы в распределенных системах?

Путин перестал говорить о войне | Что случилось (English subtitles)

Путин перестал говорить о войне | Что случилось (English subtitles)

Refresh Tokens - BUILD A JWT AUTHENTICATION SERVER (ASP.NET CORE) #3

Refresh Tokens - BUILD A JWT AUTHENTICATION SERVER (ASP.NET CORE) #3

I Read Honey's Source Code

I Read Honey's Source Code