Closed mandm-pt closed 8 years ago
This might be due to clock skew -- I forget where/if we have that in there. Is there any point in time where it does get rejected?
I've tested this again, If I change the clock to +/- 7 minutes ahead, the token is considered invalid. I was trying to debug the project System.IdentityModel.Tokens.Jwt, which is the responsible to validate the token but I couldn't, I can't breakpoint inside "ValidateToken".
Here's other sample:
Token
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjQ0MzMzL2NvcmUiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjQ0MzMzL2NvcmUvcmVzb3VyY2VzIiwiZXhwIjoxNDY0MzQ5OTUwLCJuYmYiOjE0NjQzNDk5NDEsImNsaWVudF9pZCI6ImN1c3RvbWdyYW50LmNsaWVudCIsInNjb3BlIjpbIm9mZmxpbmVfYWNjZXNzIiwicmVhZCIsIndyaXRlIl0sInN1YiI6IjgxODcyNyIsImF1dGhfdGltZSI6MTQ2NDM0OTk0MSwiaWRwIjoiaWRzcnYiLCJhbXIiOlsiY3VzdG9tIl19.NSZVgLMavDB1qzuS2H9pIG5Iin-iztHEmrnvWAEp8IQ51M4XQ5ycMvFAJ9XYnWZize5hAcd2cs4yNnX76o4nFDPTR3zqlnEffIwntut0X3Jcmh-kYfm9kN3paFOIvcjejvWzQX_Ip3JMVFrxvYxdYmTNuMDM8nvTVVHyWaH2sZ2Fh4wQhNfMECaUkIMtBiTjMQGVyuwwTH6PRZZTCZaW1rnYd9oG9OLvAUfI6ECaQSz94GMkgUJEDjlq-ftr84C_2Sel5mBOcRk-XR-Gg36rXo9QRk8pyS8xekQkMKoM4kYRRcDwonRHee88MNv5X-G3ak7JGZ3s8nKHNcMLDzinHw
Here's the exception that I'm getting:
IDX10223: Lifetime validation failed. The token is expired.
ValidTo: '05/27/2016 11:52:30'
Current time: '05/27/2016 11:59:50'.
So even in the exception it says that is valid to 11:52:30, but if I change the clock to 11:55:00 is valid!
Ok so I finally manage how to debug System.IdentityModel.Tokens.Jwt.
It has:
public static readonly TimeSpan DefaultClockSkew = TimeSpan.FromSeconds(300); // 5 min.
Ok, so this explains the token validation.
But what about the other "issue" when I set the ValidationMode = ValidationEndpoint, every time I try to access the webapi I see the call from web api to Identity server (introspect endpoint). If I change to Both I never see that call, even if the token is valid or invalid.
ValidationEndpoint
means always call to IdSvr to validate and (even if it's a JWT). If it's Both
then the middleware detects if it's a JWT or not. If it's a JWT then it does local validation.
Issue
I have configured the AccessTokenLifetime to expire after 9 seconds. In my web api project if I specify the ValidationMode = ValidationEndpoint, the token is accepted even after the 9 seconds. If I change the mode to Local or Both after the 9 seconds the token is rejected.
An additional thing that I detected was, if I set the ValidationMode = ValidationEndpoint, every time I try to access the webapi I see the call from web api to Identity server (introspect endpoint). If I change to Both I never see that call, even if the token is valid or invalid.
I'm using latest Identity Server 3.
Clients Config:
Relevant parts of the log file
Console log:
Fiddler log:
Call API Raw request
introspect Raw Request
introspect Raw Response