Identityserver4: AccessToken expires before its expiration

Created on 20 Nov 2017 · 11Comments · Source: IdentityServer/IdentityServer4

[x] I read and understood how to enable logging

Issue / Steps to reproduce the problem

I am not sure why my access token expires too quickly, in my only client object, I set it to 10 days (3600*24*10) but it expires after a few hours (don't know exactly how long it lasts) and it certainly doesn't last more than 1 day e.g. get 401. I tested from the client side and it does show token expiration to be 10 days.
I know I shouldn't set it to 10 days but I just wonder why it expires before its expiration?

Update:
As per log below, it seems that the error message is Ticket expired when using the same valid access token to call the api.
Not sure what that means? Where do I configure the ticket?

new Client
                {
                    ClientId = "web-badders-rank",
                    ClientName = "Badders Rank Web Client",
                    //AccessTokenType = AccessTokenType.Reference,
                    AllowedGrantTypes = GrantTypes.Implicit,
                    AllowAccessTokensViaBrowser = true,
                    AccessTokenLifetime = 3600 * 24 * 10, // 10 days
                    IdentityTokenLifetime = 3600 * 24 * 2, // 2 days
                    RedirectUris = redirectUris, 
                    PostLogoutRedirectUris = postLogoutRedirectUris,
                    AllowedCorsOrigins = allowedCorsOrigins, 
                    AlwaysIncludeUserClaimsInIdToken = true,
                    RequireConsent = false,
                    AllowedScopes =
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                        "badders-rank-api"
                    }
                }

Relevant parts of the log file

2017-11-20 20:38:09.749 +00:00 [DBG] Using idsrv as default scheme for authentication
2017-11-20 20:38:09.759 +00:00 [DBG] Using idsrv as default scheme for sign-in
2017-11-20 20:38:09.761 +00:00 [DBG] Using idsrv as default scheme for sign-out
2017-11-20 20:38:09.762 +00:00 [DBG] Using idsrv as default scheme for challenge
2017-11-20 20:38:09.763 +00:00 [DBG] Using idsrv as default scheme for forbid
2017-11-20 20:38:10.037 +00:00 [WRN] Unable to bind to http://localhost:19864 on the IPv6 loopback interface: 'Error -4090 EADDRNOTAVAIL address not available'.
2017-11-20 20:38:10.417 +00:00 [DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://baddersrank.azurewebsites.net
2017-11-20 20:38:10.430 +00:00 [DBG] Client list checked and origin: http://baddersrank.azurewebsites.net is allowed
2017-11-20 20:38:10.431 +00:00 [DBG] CorsPolicyService allowed origin: http://baddersrank.azurewebsites.net
2017-11-20 20:38:10.551 +00:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2017-11-20 20:38:10.555 +00:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2017-11-20 20:38:10.556 +00:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2017-11-20 20:38:10.566 +00:00 [DBG] Start discovery request
2017-11-20 20:38:11.029 +00:00 [DBG] CORS request made for path: /.well-known/openid-configuration/jwks from origin: http://baddersrank.azurewebsites.net
2017-11-20 20:38:11.030 +00:00 [DBG] Client list checked and origin: http://baddersrank.azurewebsites.net is allowed
2017-11-20 20:38:11.030 +00:00 [DBG] CorsPolicyService allowed origin: http://baddersrank.azurewebsites.net
2017-11-20 20:38:11.031 +00:00 [DBG] Request path /.well-known/openid-configuration/jwks matched to endpoint type Discovery
2017-11-20 20:38:11.033 +00:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryKeyEndpoint
2017-11-20 20:38:11.034 +00:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryKeyEndpoint for /.well-known/openid-configuration/jwks
2017-11-20 20:38:11.044 +00:00 [DBG] Start key discovery request
**2017-11-20 20:38:11.054 +00:00 [INF] idsrv was not authenticated. Failure message: Ticket expired**
**2017-11-20 20:38:11.055 +00:00 [INF] idsrv was not authenticated. Failure message: Ticket expired**
2017-11-20 20:38:11.057 +00:00 [DBG] Request path /connect/checksession matched to endpoint type Checksession
2017-11-20 20:38:11.059 +00:00 [DBG] Endpoint enabled: Checksession, successfully created handler: IdentityServer4.Endpoints.CheckSessionEndpoint
2017-11-20 20:38:11.060 +00:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.CheckSessionEndpoint for /connect/checksession
2017-11-20 20:38:11.061 +00:00 [DBG] Rendering check session result
2017-11-20 20:38:13.811 +00:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2017-11-20 20:38:13.812 +00:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2017-11-20 20:38:13.813 +00:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2017-11-20 20:38:13.814 +00:00 [DBG] Start discovery request
2017-11-20 20:38:13.963 +00:00 [DBG] Request path /.well-known/openid-configuration/jwks matched to endpoint type Discovery
2017-11-20 20:38:13.965 +00:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryKeyEndpoint
2017-11-20 20:38:13.966 +00:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryKeyEndpoint for /.well-known/openid-configuration/jwks
2017-11-20 20:38:13.967 +00:00 [DBG] Start key discovery request

question

Source

stt106

All 11 comments

As per log below, it seems that the error message is Ticket expired when using the same valid access token to call the api.

I'm not sure what the setup is of your client, API, and IdentityServer are, but the ticket error means your cookie is no longer valid.

brockallen on 20 Nov 2017

Here is the setup for the IdentityServer:

 public void ConfigureServices(IServiceCollection services)
        {
            services.AddOptions();

            services.AddMvc();
            services.AddIdentityServer()
                    .AddDeveloperSigningCredential(false)
                    .AddInMemoryIdentityResources(GetIdentityResources())
                    .AddInMemoryApiResources(GetApiResources())
                    .AddInMemoryClients(GetClients(_redirectUris, _postLogoutRedirectUris, _allowedCorsOrigins))
                    .AddTestUsers(GetTestUsers());

            services.AddAuthentication()
                .AddOpenIdConnect("oidc", "OpenID Connect", options =>
                {
                    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
                    options.SignOutScheme = IdentityServerConstants.SignoutScheme;
                    options.Authority = _authority;
                    options.ClientId = "client";
                    options.RequireHttpsMetadata = false; // for dev testing
                });
        }

Here is the relevant setup on the API:

public void ConfigureServices(IServiceCollection services) 
{
services.AddAuthentication("Bearer")
                .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = _authority;
                    options.ApiName = "badders-rank-api";
                    options.RequireHttpsMetadata = false;
                });
}

I am using an Angular 4 client with a package called 'anuglar-oauth2-oidc'; just set up the normal configs like issuer, clientid and scope; no config about cookie. Is it possible to configure the cookie on the client side?

stt106 on 20 Nov 2017

So the log file you listed above is for the token server, not the API. It's in the APi where the access token is used, so its log file would explain why it's not working.

brockallen on 20 Nov 2017

Sorry again! Please see the api log below.

2017-11-20 20:38:13.340 +00:00 [WRN] Unable to bind to http://localhost:14085 on the IPv6 loopback interface: 'Error -4090 EADDRNOTAVAIL address not available'.
2017-11-20 20:38:14.110 +00:00 [INF] Failed to validate the token eyJhbGciOiJSUzI1NiIsImtpZCI6ImU3YTFiNGYwZjQzY2I3MDFlYjdmNzM4OTMyZDE5M2E0IiwidHlwIjoiSldUIn0.eyJuYmYiOjE1MTExMjk0NTEsImV4cCI6MTUxMTk5MzQ1MSwiaXNzIjoiaHR0cDovL2JhZGRlcnJhbmtpZGVudGl0eXVhdC5henVyZXdlYnNpdGVzLm5ldCIsImF1ZCI6WyJodHRwOi8vYmFkZGVycmFua2lkZW50aXR5dWF0LmF6dXJld2Vic2l0ZXMubmV0L3Jlc291cmNlcyIsImJhZGRlcnMtcmFuay1hcGkiXSwiY2xpZW50X2lkIjoid2ViLWJhZGRlcnMtcmFuayIsInN1YiI6IjEiLCJhdXRoX3RpbWUiOjE1MTExMjk0NTEsImlkcCI6ImxvY2FsIiwic2NvcGUiOlsib3BlbmlkIiwicHJvZmlsZSIsImJhZGRlcnMtcmFuay1hcGkiXSwiYW1yIjpbImV4dGVybmFsIl19.K-Rgp83PR2PRKKA1CqHO16VraqoyWvs3Yx0UtqadrSMAwRz74wtgopmz4GX66D48LjZsKqcRIFjIAFFzOzkPtdUxNEX-YyBaihPGjxSO4PfEnllf6eEenkMdxwA_nVahUXKKQuui7RGBNzggZFk80qC5lj-hh-Jw9Xgj9lWcEnkanUvg_ButiI5bcODpDEzpEkvZv4ROUYDXD1jcb1fhsZnwwOEwsLSu4mC-id9aMuNYj0vv7tHixceB3M84idSno3eNAtTDQbpU9Y1o47-ihEjdeH1OciuSrhcmdkKK2RQKUpQjmNZ8arlWPXLuzEhaX5NdbV2_JxxoU1XoFp0WMA.
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': 'e7a1b4f0f43cb701eb7f738932d193a4',
token: '{"alg":"RS256","typ":"JWT","kid":"e7a1b4f0f43cb701eb7f738932d193a4"}.{"nbf":1511129451,"exp":1511993451,"iss":"http://badderrankidentityuat.azurewebsites.net","aud":["http://badderrankidentityuat.azurewebsites.net/resources","badders-rank-api"],"client_id":"web-badders-rank","sub":"1","auth_time":1511129451,"idp":"local","scope":["openid","profile","badders-rank-api"],"amr":["external"]}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.d__6.MoveNext()

stt106 on 20 Nov 2017

By default, the session cookie issued by IdentityServer expires after 10 hours. In order to change this to e.g. 24 hours:

services.AddIdentityServer(options =>
    {
        options.Authentication.CookieLifetime = new TimeSpan(24, 0, 0);
        options.Authentication.CookieSlidingExpiration = false;
     })
    .AddDeveloperSigningCredential(false)
    [...]

See Docs for more information.

tspringr on 21 Nov 2017

👍1

Signature validation failed. Unable to match 'kid': 'e7a1b4f0f43cb701eb7f738932d193a4',

This is what you need to focus on.

brockallen on 21 Nov 2017

.AddDeveloperSigningCredential(false)

does not persist the key. Your key material and the cached copy of the discovery document gets out of sync. Hence the validation error.

leastprivilege on 23 Nov 2017

👍1

@leastprivilege thanks! I think this https://stackoverflow.com/questions/42588203/bearer-was-not-authenticated-signature-validation-failed/42699010?noredirect=1#comment81798625_42699010 confirms what you said.

@tspringr cool! While I don't think that's my main problem for now (as my current token expires in about on hour or so) it's definitely something I need to know if I want an access token valid for longer than 10 hours.

stt106 on 23 Nov 2017

All set on this issue -- can we close?

brockallen on 24 Nov 2017

@brockallen I have added a temp singing key as Dom suggested and it seems to have fixed the problem. So please close this. Thanks.

stt106 on 26 Nov 2017

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.