Description
I have an application using following packages
Autofac version="4.8.1" targetFramework="net471"
Autofac.Owin version="4.2.0" targetFramework="net471"
Autofac.WebApi2" version="4.2.0" targetFramework="net471"
Autofac.WebApi2.Owin" version="4.0.0" targetFramework="net471"
jose-jwt" version="2.4.0" targetFramework="net471"
Microsoft.AspNet.Cors" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Client" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Core" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Owin" version="5.2.6" targetFramework="net471"
Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="1.0.7" targetFramework="net471"
Microsoft.IdentityModel.Logging" version="5.2.4" targetFramework="net471"
Microsoft.IdentityModel.Tokens" version="5.2.4" targetFramework="net471"
Microsoft.Net.Compilers" version="2.1.0" targetFramework="net471"
Microsoft.Owin" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Cors" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Host.SystemWeb" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security.Jwt" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security.OAuth" version="3.1.0" targetFramework="net471"
Newtonsoft.Json" version="11.0.2" targetFramework="net471"
Owin" version="1.0" targetFramework="net471"
Serilog" version="2.7.1" targetFramework="net471"
Swashbuckle.Core" version="5.6.0" targetFramework="net471"
System.IdentityModel.Tokens.Jwt" version="4.0.4.403061554" targetFramework="net471"
Server is issuing tokens with expiry time of 20 minutes.
In resource server I have following configuration
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters()
{
ClockSkew = TimeSpan.FromSeconds(_allowedClockDriftSeconds),
IssuerSigningKey = ...
ValidateIssuer = true,
ValidateAudience = true,
RequireSignedTokens = true,
ValidIssuer = "...",
ValidAudience = "....",
};
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { "ConsumerDataServices" },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
...
},
TokenHandler = new JoseJwtTokenHandler(decryptionHandler, logger),
TokenValidationParameters = tokenValidationParameters,
});
}
Auth Server is issuing tokens as JWE Tokens. JoseJwtTokenHandler is overriding ReadToken to decrypt and return JWT Token,
Everything works find for 20 minutes. I Can see my claims in principal.Identity in AuthorizationFilterAttribut. But after 20 minutes authorization stops working as principal.Identity.IsAuthenticated is set to false and claims are empty. On debugging I can see that JoseJwtTokenHandler is working fine.
In my logs I can see following
Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Warning: 0 : expired bearer token received
Looking at code of Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler
DateTimeOffset currentUtc = this.Options.SystemClock.UtcNow;
if (ticket.Properties.ExpiresUtc.HasValue && ticket.Properties.ExpiresUtc.Value < currentUtc)
{
this._logger.WriteWarning("expired bearer token received");
return (AuthenticationTicket) null;
}
It looks like OAuthBearerAuthenticationHandler is ignoring ClockSkew.
I have spent lot of time on it but couldn't get it to work. Does what I am doing looks OK? If not what is the correct way to do this?