When refresh token is expired the BFF should return 401, not 502

[JJong-nl]

openiddict-samples/samples/Dantooine/Dantooine.WebAssembly.Server/Helpers/TokenRefreshingDelegatingHandler.cs

Lines 34 to 63 in 9d19a93

	// Note: this handler can be called concurrently for the same user if multiple HTTP
	// requests are processed in parallel: while this results in multiple refresh token
	// requests being sent concurrently, this is something OpenIddict allows during a short
	// period of time (called refresh token reuse leeway and set to 30 seconds by default).
	var result = await _service.AuthenticateWithRefreshTokenAsync(new RefreshTokenAuthenticationRequest
	{
	CancellationToken = cancellationToken,
	DisableUserInfo = true,
	RefreshToken = GetRefreshToken(request.Options)
	});
	request.Headers.Authorization = new AuthenticationHeaderValue(Schemes.Bearer, result.AccessToken);
	return new TokenRefreshingHttpResponseMessage(result, await base.SendAsync(request, cancellationToken));
	}
	// Otherwise, don't bother using the existing access token and refresh tokens immediately.
	else
	{
	var result = await _service.AuthenticateWithRefreshTokenAsync(new RefreshTokenAuthenticationRequest
	{
	CancellationToken = cancellationToken,
	DisableUserInfo = true,
	RefreshToken = GetRefreshToken(request.Options)
	});
	request.Headers.Authorization = new AuthenticationHeaderValue(Schemes.Bearer, result.AccessToken);
	return new TokenRefreshingHttpResponseMessage(result, await base.SendAsync(request, cancellationToken));
	}

When _service.AuthenticateWithRefreshTokenAsync fails, it is returning an error.
I should expect to return a 401

solution is putting the AuthenticateWithRefreshTokenAsync within a try catch

            // If an access token expiration date was returned by the authorization server and stored
            // in the authentication cookie, use it to determine whether the token is about to expire.
            // If it's not, try to use it: if the resource server returns a 401 error response, try
            // to refresh the tokens before replaying the request with the new access token attached.
            var date = GetBackchannelAccessTokenExpirationDate(request.Options);
            if (date is null || TimeProvider.System.GetUtcNow() <= date?.AddMinutes(-5))
            {
                request.Headers.Authorization = new AuthenticationHeaderValue(Schemes.Bearer, GetBackchannelAccessToken(request.Options));

                var response = await base.SendAsync(request, cancellationToken);
                if (response.StatusCode is not HttpStatusCode.Unauthorized)
                {
                    return response;
                }

                // Note: this handler can be called concurrently for the same user if multiple HTTP
                // requests are processed in parallel: while this results in multiple refresh token
                // requests being sent concurrently, this is something OpenIddict allows during a short
                // period of time (called refresh token reuse leeway and set to 30 seconds by default).
                return await TryWithRefreshTokenAsync(request, cancellationToken);
            }

            // Otherwise, don't bother using the existing access token and refresh tokens immediately.
            else
            {
                return await TryWithRefreshTokenAsync(request, cancellationToken);
            }

            async Task<HttpResponseMessage> TryWithRefreshTokenAsync(HttpRequestMessage request, CancellationToken cancellationToken)
            {
                try
                {
                    var result = await _service.AuthenticateWithRefreshTokenAsync(new RefreshTokenAuthenticationRequest
                    {
                        CancellationToken = cancellationToken,
                        DisableUserInfo = true,
                        RefreshToken = GetRefreshToken(request.Options)
                    });

                    request.Headers.Authorization = new AuthenticationHeaderValue(Schemes.Bearer, result.AccessToken);

                    return new TokenRefreshingHttpResponseMessage(result, await base.SendAsync(request, cancellationToken));
                }
                catch (Exception ex)
                {
                    // Refresh token failed, returning 401
                    var response = new HttpResponseMessage(HttpStatusCode.Unauthorized)
                    {
                        RequestMessage = request
                    };
                    return response;

                }
            }

[kevinchalet]

Thanks for your report, @JJong-nl.

The solution you've implemented should work just fine, but if you're interested, I've used a different approach - that doesn't require returning a 401 response from the delegating handler - to address that: #381.

Cheers.

[JJong-nl]

@kevinchalet thanks

[JJong-nl]

@kevinchalet one question
from what package is the extension method DisableCookieRedirect(); ?

[kevinchalet]

It's part of the inbox Microsoft.AspNetCore.Http.Extensions assembly.

It was introduced in ASP.NET Core 10: dotnet/aspnetcore#62883.

[JJong-nl]

Thanks,
for anyone still in net9

    public static class ProxyPipeline
    {
        public static void ConfigureProxyPipeline(IReverseProxyApplicationBuilder app)
        {
            app.Use(async (context, next) =>
            {
                await next();

                // Note: if an "access_denied" error occurred while trying to refresh tokens,
                // trigger a cookie authentication challenge to let the WASM client know that
                // the user should be redirected to the login page to re-authenticate.
                var exception = context.GetForwarderErrorFeature()?.Exception;
                if (exception is ProtocolException { Error: Errors.InvalidGrant })
                {

#if NET10_0_OR_GREATER
                    // with DisableCookieRedirect on the ReverseProxyConventionBuilder
                    context.Response.Clear();
                    await context.ChallengeAsync(CookieAuthenticationDefaults.AuthenticationScheme);
#else
                    context.Response.StatusCode = StatusCodes.Status401Unauthorized;
#endif
                }
            });
        }
    }