Thanks for the great explanation on JWT. This sample project/blog post is by far the best explanation of the subject. Thanks for not making a "To-Do" List. I'm implementing my solution based on your example (makes for great documentation).

Now to the matter at hand: I discovered that the refresh token string value is getting the last two characters lopped off when it's saved within a cookie.

private void  SetRefreshTokenCookie(string token)
{
     var cookieOptions = new CookieOptions
     {
         HttpOnly = true,
          Expires = DateTime.UtcNow.AddDays(7)
      };
     Response.Cookies.Append("refreshToken", token, cookieOptions);
  }

In Postman we see this in the cookie:

but, all of the refresh tokens seem to have == appended at the end of the string, like

Do you have an explanation why Response.Cookies.Append() drops ==?

Thanks,

Hi,
why are you using AllowAnonymous for the /users/refresh-token ?

Shouldn't updating a token happen in an already authenticated session? and in theory, I should only be able to update the token relating to my session.

            // token is a cryptographically strong random sequence of values
            var token = Convert.ToBase64String(RandomNumberGenerator.GetBytes(64));
            // ensure token is unique by checking against db
            var tokenIsUnique = !_context.Users.Any(u => u.RefreshTokens.Any(t => t.Token == token));

Would it be faster to check a token existence unrelated to the Users table? Like _context.RefreshTokens.Any(t => t.Token == token)

UserService.GetUserByRefreshToken(string token) returns a null list for the user's refresh tokens. Code is missing an Include in order to pick up the child table data:

        private async Task<User> GetUserByRefreshToken(string token)
        {
            var user = await _context.Users
                **.Include(p => p.RefreshTokens)**
                .SingleOrDefaultAsync(u => u.RefreshTokens.Any(t => t.Token == token)) ??
                throw new AppException("Invalid token");

            return user;
        }

Very nice and neat example, thanks!

The only thing I want to notice is that normally refresh happens every hour (in this example 15 minutes). There's no need to generate a new token on each refresh as there will be just too many of them.

Maybe better to update existing token with some fields like Updated and UpdatedByIp ? Initially set together with Created and CreatedByIp. Because if the request is valid it is still ok to reuse the same record.

At the moment the API can only be used to test authentication for an existing hardcoded user. Having an extra endpoint to enable registration of new users will make this API a more complete JWT testbed for future projects.

The RefreshToken entity does not have a reference to the User entity in order to complete the User.RefreshTokens join.
Is the assumption that EntityFramework will create the join table automatically? If so, perhaps a mapping reference in the DbContext would be appropriate?