Closed FinHorsley closed 2 months ago
I'm curious why you are sending JWTs to the introspection endpoint. As its main purpose is to work with reference tokens. It works with JWTs for the rare cases where clients that are for some reason not able to do token validation themselves.
As you mentioned this has to do with ClockSkew which by default is set to 300 seconds (5 minutes). It is not designed to be customizable at this point because it is part of the TokenValidator which is critical for the operation of IdentityServer.
In the ValidateJwtAsync method an instance of TokenValidationParameters is created which has the clockskew set to 5 minutes. The only way to deviate from that really is to use your own TokenValidator that sets a different value for the ClockSkew in the TokenValidationParameters. But we don't recommend that. The default value should suffice for the vast majority of cases.
@FinHorsley Are you in the clear about this? If so I'd like to close this issue.
Closing for now, but feel free to reopen if needed.
Which version of Duende IdentityServer are you using? 7.0.0
Which version of .NET are you using? 8.0.204
Describe the bug An accessToken that has expired still returns
{ Active: true }
from the introspection endpoint.Could this be to do with clockSkew? I've hit this problem clientSide, but didn't know if the introspection endpoint follows the same pattern for token validation (aspnetcore by default is 5 mins)
To Reproduce
{ Active: true }
Expected behavior The introspection endpoint returns Active: false as documented https://docs.duendesoftware.com/identityserver/v7/reference/endpoints/introspection/
Log output/exception with stacktrace
note the time in the logs at
2024-05-02 14:40:08.959297 Debug . - Token validation success
is after the"exp": 1714657203
, which converted to DateTime is02/05/2024 14:40:03
Additional context N/A