public override void OnAuthorization(HttpActionContext actionContext)
{
     string token = string.Empty;
     AuthenticationTicket ticket;
     //retrieve the token the client sent in the request...
     token = (actionContext.Request.Headers.Any(x => x.Key == "Authorization")) ? actionContext.Request.Headers.Where(x => x.Key == "Authorization").FirstOrDefault().Value.SingleOrDefault().Replace("Bearer ","") : "";

     //Your OAuth Startup class may be called differently...
     ticket = Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(token);

     //verification using the ticket's properties. When it was set to expire (ExpiresUtc) or whatever other properties you may have appended to it's dictionnary.

    //if verification fails..
    //actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized,"Verification failed.");
    //return;

    //Otherwise,send a new token with an extended expiration date...
     AuthenticationProperties refreshTokenProperties = new AuthenticationProperties(ticket.Properties.Dictionary)
     {
            IssuedUtc = ticket.Properties.IssuedUtc,ExpiresUtc = DateTime.UtcNow.AddMinutes(20)
     };

     AuthenticationTicket newToken = new AuthenticationTicket(ticket.Identity,refreshTokenProperties);
     string newTokenHash = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(newToken);

     //add the new token to request properties. Can't add it to the header here,because creating response/response headers here will prevent process from proceeding to called controller method.
     actionContext.Request.Properties.Add(new KeyValuePair<string,object>("Token",newTokenHash));
}

然后使用ActionFilterAttribute过滤器链接它：

public override void OnActionExecuted(HttpActionExecutedContext actionExecutedContext)
{
    if (actionExecutedContext.Response == null)
        return;

    var objectContent = actionExecutedContext.Response.Content as ObjectContent;
    //the token we put in the filter above...
    string tokenHash = (actionExecutedContext.Request.Properties.Any(x => x.Key == "Token")) ? (string)actionExecutedContext.Request.Properties.Where(x => x.Key == "Token").FirstOrDefault().Value : "";
}

您可以将新标头附加到响应,放入JSON有效负载响应或将其添加为响应cookie.然后,当您请求任何其他资源时,您使客户端使用此新哈希,这样,到期时间将每次额外滑动20分钟.

您可以在App_Start / WebApiConfig.cs中全局注册这些过滤器属性

config.Filters.Add(new ClassExtendingAuthorizeAttribute());
config.Filters.Add(new ClassExtendingActionFilterAttribute());

但正如jumuro所提到的,您可以让客户只使用刷新令牌.取决于你是否想要你的后端或前端来完成大部分的腿部工作.

希望能帮助到你.