In Server, I use OAUth2 to secure Web API with access_token and refresh_token.
But I don't know any way to use refresh_token in MVC Client ?
If access_token is expired,when user is using MVC Web,Request cannot go to server API and something will lost. I means : MVC Client can auto-refresh token when expires?
I rolled out my OAuth utilising refresh tokens strategy by following the guide at "Enable OAuth Refresh Tokens in AngularJS App using ASP .NET Web API 2, and Owin". It is in production with no problems.
It does focus on the client implementation as an Angular JS app, but there is logic towards the middle of the article that refers to "Step 6: Generating an Access Token using the Refresh Token" and shows graphics and process of how you can send a request for refresh_token etc, you should be able to draw some ideas from for an ASP.NET MVC implementation. It also includes the entire workflow and setup required on the ASP.NET API side which may help you double check things.
If this article is helpful to you, you may wish to start at the beginning of his OAuth ASP.NET discussion as you might find it of interest to follow - "Token Based Authentication using ASP.NET Web API 2, Owin, and Identity"
