In Identity Server 4, how do I read the encrypted refresh token(string) saved in database in order to get the access token?

Question

I have a Identity Server 4 pool(2 servers), one server is issuing a Access token(JWT) and also a Refresh token, Refresh token is saved in database table.(PersistedGrants table). Now when the Access token expires, I want to read the Refresh token from second Server and call RequestRefreshTokenAsync to get back a new set of tokens.. How do I read the database refresh token in application?

Answer 1

I'm not sure if this is what you're asking but therefresh_token in the client gets translated to the database Id on IdentityServer4's PersistedGrants table by using the following code I believe I had extracted from the IdentityServer4's source code some time ago:

using System;
using System.Linq;
using System.Security.Cryptography;
using System.Text;

namespace HandleToKey
{
    internal class Program
    {
        private static void Main(string[] args)
        {
            if (args.Length < 1)
            {
                Console.WriteLine("No argument provided, you may want to provide with a token handle.");
                Console.WriteLine("Usage: HandleToKey.exe [tokenHandle]");
            }
            else
            {
                var input = args.First();
                using (var sha = SHA256.Create())
                {
                    input = $"{input}:refresh_token";
                    var bytes = Encoding.UTF8.GetBytes(input);
                    var hash = sha.ComputeHash(bytes);
                    var result = Convert.ToBase64String(hash);

                    Console.WriteLine(result);
                    Console.WriteLine("Press any key to continue...");
                    Console.ReadKey();
                }
            }
        }
    }
}

The relevant bytes are the code inside the using which I think (I don't remember) is the code used to create and consult a persisted grant in the actual source code, or similar to it. It concatenates the input with ":refresh_token", gets a byte[] using UTF8 charmap, and computes its SHA256 hash, then encodes it in Base64, and the result should be the Id.

You could also get the same result with an access_token reference by changing the string to ":access_token" instead of refresh_token.

Anyway I've only used this for debugging purposes. I would like you to avoid using this code on a production site, because I'm sure there's a better way of solving your actual problem if you let us know more about it.