But where are they stored?
By default, they are not stored anywhere: they are autonomous. While the encryption keys used to protect update tokens are still in the ASP.NET data protection key ring, they can be decrypted by ASOS and used to issue new access tokens.
How can I change the expiration date of a token?
The default expiration date can be set globally from parameters using the property RefreshTokenLifetime. If you do not provide your own life, they are valid for 14 days.
Please note that upon expiration, the default is also turned on, which means that you receive a new update token (valid for 14 days) every time you make a new request grant_type=refresh_token. You can disable the sliding ending by setting UseSlidingExpirationto false.
... ?
, . , (, , ), SerializeRefreshToken DeserializeRefreshToken, , .
HandleTokenRequest context.Reject(), , a refresh_token .
OpenIddict, , "" , , , reset.
, ?
, , , sub, , .