I use AspNet.Security.OpenIdConnect.Server to issue JWT tokens and the AuthorizationCodeLifetime parameter is set to 30 seconds. Here is the code snippet that I use to set the parameters
options.TokenEndpointPath = "/api/token"; options.AllowInsecureHttp = true; options.AccessTokenHandler = new JwtSecurityTokenHandler(); options.SigningCredentials.Add(new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256)); options.AccessTokenLifetime = TimeSpan.FromSeconds(30); options.AuthorizationCodeLifetime = TimeSpan.FromSeconds(30);
The returned token contains:
"expires_in": 30,
and the deserialized token contains the following statements:
"nbf": 1476915220, "exp": 1476915250, "iat": 1476915220,
As you can see, the exp (expire time) time is 30 seconds after iat (release time). However, the token does not start 401 Unauthorized until 5 minutes after its expiration. If we close the exp number at http://www.epochconverter.com/ , we will see that it is estimated at Wed, 19 Oct 2016 22:14:10 GMT, which is 5:14:10 PM local time.
Here are some of the registered entries in the Core library:
Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired. ValidTo: '10/19/2016 22:14:10' Current time: '10/19/2016 22:19:10'. at Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime(Nullable`1 notBefore, Nullable`1 expires, SecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateLifetime(Nullable`1 notBefore, Nullable`1 expires, JwtSecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext() info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[7] Bearer was not authenticated. Failure message: IDX10223: Lifetime validation failed. The token is expired. ValidTo: '10/19/2016 22:14:10' Current time: '10/19/2016 22:19:10'.
Of course, this conclusion does not prove that the server accepted the token between 22:14:10 and 22:19:10. It would be as if I was waiting 5 minutes after it expired, and then tried to check the token, but you have to take my word for it. I tested in Postman and clicked "Submit" every second until I returned 401.
So what? Is there a built-in buffer for 5 minutes that I don't know about? Interestingly, the default value for AccessTokenLifetime is 5 minutes, but the token definitely reflects the fact that I changed it to 30 seconds. What's happening?
Relevant libraries that I use:
<package id="AspNet.Security.OpenIdConnect.Extensions" version="1.0.0-beta6-final" targetFramework="net452" /> <package id="AspNet.Security.OpenIdConnect.Server" version="1.0.0-beta6-final" targetFramework="net452" /> <package id="Microsoft.AspNetCore.Authentication.JwtBearer" version="1.0.0" targetFramework="net452" />