Geek Answers Handbook

OAuth2 WebApi Token Duration

I am trying to set the expiration time of the token dynamically, but it seems like it just continues defaulting to 20 minutes.

Here is my ConfigureAuth:

public void ConfigureAuth(IAppBuilder app) { OAuthOptions = new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/Token"), Provider = new ApplicationOAuthProvider(""), // In production mode set AllowInsecureHttp = false AllowInsecureHttp = true }; // Enable the application to use bearer tokens to authenticate users app.UseOAuthBearerTokens(OAuthOptions); }

Here is my GrantResourceOwnerCredentials method:

  public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" }); var hasValidLogin = (new login().authenticate(context.UserName, context.Password, "") == "valid"); if (hasValidLogin == false) { context.SetError("invalid_grant", "The user name or password is incorrect."); return Task.FromResult<object>(null); } var oAuthIdentity = CreateIdentity(context); var oAuthProperties = CreateProperties(context); AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, oAuthProperties); context.Validated(ticket); return Task.FromResult<object>(null); }

And here is my SetProperties method, where I can set the expiration date:

  public static AuthenticationProperties CreateProperties(OAuthGrantResourceOwnerCredentialsContext context) { IDictionary<string, string> data = new Dictionary<string, string> { { "client_id", context.ClientId } }; var response = new AuthenticationProperties(data); response.ExpiresUtc = DateTime.Now.AddMonths(1); return response; }

Even after that, the marker returns:

 { "access_token": ".....", "token_type": "bearer", "expires_in": 1199, "client_id": ".....", ".expires": "Fri, 13 Nov 2015 20:24:06 GMT", ".issued": "Fri, 13 Nov 2015 20:04:06 GMT" }

Any ideas why I cannot establish the expiration, where am I now? This server will accept different clients with different expiration dates, so I decided that this is the place for this. Is there somewhere else that I should do this? Thanks!

+8
asp.net-web-api oauth owin
source share
4 answers

The behavior you see is directly caused by the fact that the OAuth2 authorization server always discards your own expiration when you set it in the GrantResourceOwnerCredentials notification (it is also affected by other Grant* notifications): https://github.com/jchannon/katanaproject /blob/master/src/Microsoft.Owin.Security.OAuth/OAuthAuthorizationServerHandler.cs#L386

The workaround is to set the expiration date in AuthenticationTokenProvider.CreateAsync (the class you use for OAuthAuthorizationServerOptions.AccessTokenProvider ):

Just set context.Ticket.Properties.ExpiresUtc with the expiration date of your choice and it should work as intended:

 public class AccessTokenProvider : AuthenticationTokenProvider { public override void Create(AuthenticationTokenCreateContext context) { context.Ticket.Properties.ExpiresUtc = // set the appropriate expiration date. context.SetToken(context.SerializeTicket()); } }

You can also take a look at AspNet.Security.OpenIdConnect.Server , the OAuth2 authorization server plug provided by OWIN / Katana, which initially supports setting expiration dates with GrantResourceOwnerCredentials : https://github.com/aspnet-contrib/AspNet.Security. OpenIdConnect.Server / tree / dev

+5
source share

We have a similar situation with different clients who have different token timeouts, so we wanted to be able to set the expiration accordingly. In the AuthenticationTokenProvider that we implemented, we set the expiration, but it was overwritten by the time the token was signed.

The solution in which we were happy redefined the TokenEndpoint method. Then we can implement the expiration of the client:

  public override Task TokenEndpoint(OAuthTokenEndpointContext context) { if (context.TokenIssued) { // client information var accessExpiration = DateTimeOffset.Now.AddSeconds(accessTokenTimeoutSeconds); context.Properties.ExpiresUtc = accessExpiration; } return Task.FromResult<object>(null); }

* Edited to resolve race conditions.

+10
source share

You can set it in the TokenEndPoint method instead of the GrantResourceOwnerCredentials method. See my answer to a similar question here .

Hope this helps.

+2
source share

I will throw it here, at the moment there is a simple way without creating a new class, it just sets the parameters:

 OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions() { ... AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30), .. };
+1
source share

More articles:


All Articles