Identityserver4: Expired access token

Created on 23 Nov 2016  路  9Comments  路  Source: IdentityServer/IdentityServer4

For testing purposes I changed my experation time of my access token to 60s.
This is correctly set in the token (checked with JWT.IO)

With this site. I check the current epoch time.
When the token should expire (Current time > Token time) I'm still authenticated against my API.

info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[8]
      AuthenticationScheme: Bearer was successfully authenticated.

After ~5 minutes the API understands the token is invalid:

info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[1]
      Failed to validate the token eyJhbGciOiJSUzI1NiIsImtpZCI6IjBjZWQ4OTU3NGJkMWJmNDUwNWEwNjVmYmRkMGVmNzJkZTIxZDgzNTAyMjE5MjMzOWRhZDc4YmE0YTFjMTA1NTEiLCJ0eXAiOiJKV1QifQ.eyJuYmYiOjE0Nzk4OTU3OTksImV4cCI6MTQ3OTg5NTg1OSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwL3Jlc291cmNlcyIsImNsaWVudF9pZCI6Im12YyIsInN1YiI6IjZkNzMzN2IyLWMyOTQtNDEyYy05YmE4LTNjNzFkM2M1ZmFhNSIsImF1dGhfdGltZSI6IjE0Nzk4OTU3ODUiLCJpZHAiOiJsb2NhbCIsInJvbGUiOiJyZXNlYXJjaGVyIiwic2NvcGUiOlsib3BlbmlkIiwicHJvZmlsZSIsIm9mZmxpbmVfYWNjZXNzIiwicm9sZXMiLCJhcGkxIl0sImFtciI6WyJwd2QiXX0.nNUiJUt4Dip6EkML99My9D76u9-nCUKC0t2Wi63qRZnaSO49BOyhP8NfmCD27b0pm7uD_c0Z_pOlVACv2x8XOh7fw1pIyk0UAW4_YEOOnL-wo5Wtb-aQb-s3DoZ5T_gjb--5pffGEmpON_4HX8YUb9Rtec53QAJTThLEdVmhyOAlpu19OjNFjs8cX8PtL6aOErnfcjLSK3fyK51Q36m5H1xXGMKFcYT8r5jpwg0tEuiGfihYMndGn8S8QgK1m75fpxr29TiSjMTNPHG-wnxESa28PpbRgSNu3CyEKI1fBQnkkjlSx2wAq02Lg8_iocOnkRNNi5lj3mkW-6vEMm6uYQ.
Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired.
ValidTo: '11/23/2016 10:10:59'
Current time: '11/23/2016 10:16:16'.

BUG: I was able to do calls between 10:10:59 and 10:16:16.

If you need more information, please ask.

Sincerely, Brecht
Have a nice day!

question
Source
picture ErazerBrecht

Most helpful comment

If you use JwtBearerAuthentication, try to set JwtBearerOptions.TokenValidationParameters.ClockSkew. Default value is 5 minutes. HtH

picture lppt on 23 Nov 2016
👍5

All 9 comments

If you use JwtBearerAuthentication, try to set JwtBearerOptions.TokenValidationParameters.ClockSkew. Default value is 5 minutes. HtH

lppt picture lppt on 23 Nov 2016
👍5

I'm using the _app.UseIdentityServerAuthentication_

Any options there?

Thanks in advance
Brecht

ErazerBrecht picture ErazerBrecht on 23 Nov 2016

As i can see from CombinedAuthenticationOptions.cs its not possible. But you can try app.UseJwtBearerAuthentication directly

lppt picture lppt on 23 Nov 2016

We don't directly expose that setting. Why do you want to change it.

The clock skew feature exists to protect you from out of sync clocks - otherwise you might run into problems where tokens are not yet valid (because the consumer clock in slightly behind the STS clock etc).

That said - you can tweak any setting of the underlying middlewares by creating the combined options yourself

https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation/blob/dev/src/IdentityServer4.AccessTokenValidation/CombinedAuthenticationOptions.cs#L26

leastprivilege picture leastprivilege on 24 Nov 2016

Thx for the repsonses

Why:

Currently we use a MVC application with the Hybrid flow. This MVC application is a 'container' it will serve different Angular application based on your role. The MVC application also secures static files with a middleware that checks on the role. The happens all with the cookie set by
_app.UseOpenIdConnectAuthentication()_

The Angular applications will execute a call to the MVC application to retrieve an access token (stored in the cookie). And saves this access token. It's now possible to execute requests from the Angular application to our API's.

When the access token is invalid it will request a new one on the MVC application (this will the refresh token), ...

I want to set my access token to a lifetime of 20 minutes and my refresh token to a liftetime of 60 minutes (sliding). I also want to set the lifetime of the MVC and the Identityserver project cookie to 60 minutes (sliding).

While testing everything is lowered my lifetimes to 1 minute for access_token and 5 for refresh_token and cookies.

This is why I found the behavior of my question.

ErazerBrecht picture ErazerBrecht on 26 Nov 2016

OK - as I said the 5 min skew is by design.

leastprivilege picture leastprivilege on 27 Nov 2016

I'm using a DelegatingHandler having SetBearerToken called in its SendAsync override, injected to my HttpClient singleton of my app (IoC-managed).

My question is how do I verify a token hasn't expired before I call base.SendAsync in the delegating handler?

Cross posted here

weitzhandler picture weitzhandler on 18 Jul 2017
👍1

Nice information, thank you @leastprivilege for share.

alexsandro-xpt picture alexsandro-xpt on 4 Aug 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 13 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wangkanai picture wangkanai  路  3Comments
leksim picture leksim  路  3Comments
leastprivilege picture leastprivilege  路  3Comments
garymacpherson picture garymacpherson  路  3Comments
not-good-with-usernames picture not-good-with-usernames  路  3Comments