C#•4mo ago

Does my GenerateRefreshTokenString() method is secure enough?

private string GenerateRefreshTokenString()
{
    var randomNumber = new byte[64];

    using (var numberGenerator = RandomNumberGenerator.Create())
    {
        numberGenerator.GetBytes(randomNumber);
    }

    return Convert.ToBase64String(randomNumber);
}

private string GenerateRefreshTokenString()
{
    var randomNumber = new byte[64];

    using (var numberGenerator = RandomNumberGenerator.Create())
    {
        numberGenerator.GetBytes(randomNumber);
    }

    return Convert.ToBase64String(randomNumber);
}

so this is my method i am encrypting my jwt token with rsa should i encrypt this method too ?

24 Replies

Unknown User•4mo ago

Message Not Public

Core•4mo ago

Does it really do all that? Isn't Identity only providing building blocks, like Hashing, db methods, and tables? Other logic, like refreshing access tokens with the help of refresh tokens should still be implemented

Unknown User•4mo ago

Message Not Public

Core•4mo ago

Yes I did, with .net 6-7

Unknown User•4mo ago

Message Not Public

Core•4mo ago

Ohh, then it's my bad. I didn't know about this

Unknown User•4mo ago

Message Not Public

Core•4mo ago

In this case OP should really use .NET 8

Unknown User•4mo ago

Message Not Public

Core•4mo ago

A refresh token should still have an id which can be looked up in the database and a userId. With these 2 fields we could implement refresh token revokation, theft detection and probably more

Unknown User•4mo ago

Message Not Public

SalightOP•4mo ago

i couldn't find anything about that also i did created my database with identity

Unknown User•4mo ago

Message Not Public

Core•4mo ago

You should follow this

Unknown User•4mo ago

Message Not Public

Core•4mo ago

migrate to .net 8 and check how to set up Identity

Unknown User•4mo ago

Message Not Public

SalightOP•4mo ago

i am using .net 8

Unknown User•4mo ago

Message Not Public

SalightOP•4mo ago

okay thanks i will read that documentation so when i migrate this @TeBeCo is it gonna create a refresh token column in db

Unknown User•4mo ago

Message Not Public

SalightOP•4mo ago

yeah i get it what you are saying but my question is like i said are there gonna be refresh token part cause when i do that there wasnt i have to create a model and add this properties by manual

public class ExtendedIdentityUser : IdentityUser
{
    public string? RefreshToken { get; set; }
    public DateTime RefreshTokenExpiry { get; set; }
    public string? VerificationToken { get; set; }
    public DateTime? VerifiedAt { get; set; }
    public string? PasswordResetToken { get; set; }
    public DateTime ResetTokenExpires { get; set; }
}

public class ExtendedIdentityUser : IdentityUser
{
    public string? RefreshToken { get; set; }
    public DateTime RefreshTokenExpiry { get; set; }
    public string? VerificationToken { get; set; }
    public DateTime? VerifiedAt { get; set; }
    public string? PasswordResetToken { get; set; }
    public DateTime ResetTokenExpires { get; set; }
}

like that

Core•4mo ago

https://www.youtube.com/watch?v=sZnu-TyaGNk&t=329s

Nick Chapsas

YouTube

The .NET 8 Auth Changes You Must Know About!

Use code DDD20 and get 20% off the brand new Domain-Driven Design course on Dometrain: https://dometrain.com/course/getting-started-domain-driven-design-ddd Become a Patreon and get source code access: https://www.patreon.com/nickchapsas Hello, everybody, I'm Nick, and in this video, I will show you how Authentication and Identity have changed...

Core•4mo ago

Just follow how it's done in the video. Nick usually makes good quality content.

Gaming

Programming

Does my GenerateRefreshTokenString() method is secure enough?