之前写过2篇关于refresh token的生成与持久化的博文：1）Web API与OAuth：既生access token，何生refresh token；2）ASP.NET OWIN OAuth：refresh token的持久化。

之后我们在CNBlogsRefreshTokenProvider中这样实现了refresh token的生成与持久化：

public class CNBlogsRefreshTokenProvider : AuthenticationTokenProvider { private IRefreshTokenService _refreshTokenService; public CNBlogsRefreshTokenProvider(IRefreshTokenService refreshTokenService) { _refreshTokenService = refreshTokenService; } public override async Task CreateAsync(AuthenticationTokenCreateContext context) { if (string.IsNullOrEmpty(context.Ticket.Identity.Name)) return; var clientId = context.OwinContext.Get<string>("as:client_id"); if (string.IsNullOrEmpty(clientId)) return; var refreshTokenLifeTime = context.OwinContext.Get<string>("as:clientRefreshTokenLifeTime"); if (string.IsNullOrEmpty(refreshTokenLifeTime)) return; //generate access token RandomNumberGenerator cryptoRandomDataGenerator = new RNGCryptoServiceProvider(); byte[] buffer = new byte[60]; cryptoRandomDataGenerator.GetBytes(buffer); var refreshTokenId = Convert.ToBase64String(buffer).TrimEnd(‘=‘).Replace(‘+‘, ‘-‘).Replace(‘/‘, ‘_‘); var refreshToken = new RefreshToken() { Id = refreshTokenId, ClientId = new Guid(clientId), UserName = context.Ticket.Identity.Name, IssuedUtc = DateTime.UtcNow, ExpiresUtc = DateTime.UtcNow.AddSeconds(Convert.ToDouble(refreshTokenLifeTime)), ProtectedTicket = context.SerializeTicket(), IP = context.Request.GetUserIp() }; context.Ticket.Properties.IssuedUtc = refreshToken.IssuedUtc; context.Ticket.Properties.ExpiresUtc = refreshToken.ExpiresUtc; if (await _refreshTokenService.Save(refreshToken)) { context.SetToken(refreshTokenId); } } public override async Task ReceiveAsync(AuthenticationTokenReceiveContext context) { var refreshToken = await _refreshTokenService.Get(context.Token); if (refreshToken != null) { context.DeserializeTicket(refreshToken.ProtectedTicket); var result = await _refreshTokenService.Remove(context.Token); } } }

后来发现一个问题（这是遇到的第1个问题），在用户不登录的情况下，，以client credentials grant方式获取access token时，也会生成refresh token并且保存至数据库。而refresh token是为了解决以resource owner password credentials grant方式获取access token时多次输入用户名与密码的麻烦。所以，对于client credentials grant的场景，生成refresh token完全没有必要。

于是，就得想办法避免这种refresh token生不逢时的情况。后来，找到了解决方法，很简单，只需在CreateAsync的重载方法的开头加上如下的代码：

public class CNBlogsRefreshTokenProvider : AuthenticationTokenProvider { public override async Task CreateAsync(AuthenticationTokenCreateContext context) { if (string.IsNullOrEmpty(context.Ticket.Identity.Name)) return; //... } }

遇到的第2个问题是，Client多次以resource owner password credentials grant的方式获取refresh token，会生成多个refresh token，并且会在数据库中保存多条记录。

通常情况的操作是，Client以resource owner password credentials grant的方式获取refresh token，并之将保存。需要更新access token时就用这个refresh token去更新，更新的同时会生成新的refresh token，并且将原先的refresh token删除。对应的实现代码如下：