1

Some of the users of my mobile app are telling me that they get signed out of the app sometimes and in Identity Server I'm getting some warnings regarding refresh tokens, that look like this :

[22:34:51 WRN] Invalid refresh token
[22:34:51 WRN] Refresh token validation failed. aborting, {"ClientId": ...

and I can't figure out why this is happening.

Is there a way to make these logs more verbose, but only for the token validation part and not for the whole server? If there isn't, I'd like to add the logs myself if I can extend the functionality or something.

Malosh
  • 33
  • 3

2 Answers2

1

In IdentityServer you can control if a refresh token can be reused or not. If a client sends the same refresh token twice, it can force the users to be signed out. This is a security feature and it is recommended that you don't disable this feature.

Can read about the setting here

RefreshTokenUsage

ReUse

the refresh token handle will stay the same when refreshing tokens

OneTime

the refresh token handle will be updated when refreshing tokens. This is the default.

You can also increase the logging level by setting the logging level to Debug or Verbose to get better insights into the problem.

Can it be that the same refresh token is sent twice?

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • There's a possibility that the same refresh token is sent twice, but my scenario happens with the RefreshTokenUsage set to ReUse. I'm thinking that if I set it to OneTime this will happen more often and I'll still be unable to debug the problem... – Malosh Jun 16 '21 at 07:17
  • In IdentitytServer, Where do you persist/store the tokens? in a database? or in memory? – Tore Nestenius Jun 16 '21 at 08:40
  • I have a table 'persistedGrants' in the database where I save these tokens. – Malosh Jun 16 '21 at 10:58
  • try to increase the debug level to Debug or Trace to better get an insight into why it might fail. – Tore Nestenius Jun 16 '21 at 12:53
  • you could try to manually look in the database if the token is actually found in the database? – Tore Nestenius Jun 16 '21 at 13:00
  • Yes, I'll try to increase the verbosity of the logger to see if I can get more info, but I wanted to avoid doing that because there will be a lot of "noise" in there. I can't look for the token in the database because in the logs the token is replaced with the text: "**REDACTED**". – Malosh Jun 18 '21 at 07:56
  • You could look inside the database table using SQL Management Studio? – Tore Nestenius Jun 18 '21 at 12:45
  • Yes, of course I can do that, but what do I look for if the invalid token is not written in the logs? – Malosh Jun 22 '21 at 11:11
  • 1
    You can see the redacted parts by exploring the answers here https://stackoverflow.com/questions/53255246/identity-server-4-idx10630-pii-is-hidden – Tore Nestenius Jun 22 '21 at 11:21
1

The error indicates that you are trying to use the same refresh token twice. You can derive your own implementation from DefaultRefreshTokenService. It has virtual method AcceptConsumedTokenAsync which can be overridden with your own logic. Generally, you want to allow used refresh token to be valid for certain time after it has been already used.

You can read more about it in docs.

Stealth
  • 340
  • 1
  • 15