Proper way of using Clockskew in OWIN JWT OAuth

Proper way of using Clockskew in OWIN JWT OAuth

I have an application using following packages

Autofac version="4.8.1" targetFramework="net471" Autofac.Owin version="4.2.0" targetFramework="net471" Autofac.WebApi2" version="4.2.0" targetFramework="net471" Autofac.WebApi2.Owin" version="4.0.0" targetFramework="net471" jose-jwt" version="2.4.0" targetFramework="net471" Microsoft.AspNet.Cors" version="5.2.6" targetFramework="net471" Microsoft.AspNet.WebApi.Client" version="5.2.6" targetFramework="net471" Microsoft.AspNet.WebApi.Core" version="5.2.6" targetFramework="net471" Microsoft.AspNet.WebApi.Owin" version="5.2.6" targetFramework="net471" Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="1.0.7" targetFramework="net471" Microsoft.IdentityModel.Logging" version="5.2.4" targetFramework="net471" Microsoft.IdentityModel.Tokens" version="5.2.4" targetFramework="net471" Microsoft.Net.Compilers" version="2.1.0" targetFramework="net471" Microsoft.Owin" version="3.1.0" targetFramework="net471" Microsoft.Owin.Cors" version="3.1.0" targetFramework="net471" Microsoft.Owin.Host.SystemWeb" version="3.1.0" targetFramework="net471" Microsoft.Owin.Security" version="3.1.0" targetFramework="net471" Microsoft.Owin.Security.Jwt" version="3.1.0" targetFramework="net471" Microsoft.Owin.Security.OAuth" version="3.1.0" targetFramework="net471" Newtonsoft.Json" version="11.0.2" targetFramework="net471" Owin" version="1.0" targetFramework="net471" Serilog" version="2.7.1" targetFramework="net471" Swashbuckle.Core" version="5.6.0" targetFramework="net471" System.IdentityModel.Tokens.Jwt" version="4.0.4.403061554" targetFramework="net471"

Server is issuing tokens with expiry time of 20 minutes.

In resource server I have following configuration

TokenValidationParameters tokenValidationParameters = new TokenValidationParameters() { ClockSkew = TimeSpan.FromSeconds(_allowedClockDriftSeconds), IssuerSigningKey = ... ValidateIssuer = true, ValidateAudience = true, RequireSignedTokens = true, ValidIssuer = "...", ValidAudience = "....", }; app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions { AuthenticationMode = AuthenticationMode.Active, AllowedAudiences = new { "ConsumerDataServices" }, IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider {...}, TokenHandler = new JoseJwtTokenHandler(decryptionHandler, logger), TokenValidationParameters = tokenValidationParameters, });

Auth Server is issuing tokens as JWE Tokens. JoseJwtTokenHandler is overriding ReadToken to decrypt and return JWT Token,

Everything works find for 20 minutes. I Can see my claims in principal.Identity in AuthorizationFilterAttribut. But after 20 minutes authorization stops working as principal.Identity.IsAuthenticated is set to false and claims are empty. On debugging I can see that JoseJwtTokenHandler is working fine.

In my logs I can see following

Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Warning: 0 : expired bearer token received

Looking at code of Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler

DateTimeOffset currentUtc = this.Options.SystemClock.UtcNow; if (ticket.Properties.ExpiresUtc.HasValue && ticket.Properties.ExpiresUtc.Value < currentUtc) { this._logger.WriteWarning("expired bearer token received"); return (AuthenticationTicket) null; }

It looks like OAuthBearerAuthenticationHandler is ignoring ClockSkew.

I have spent lot of time on it but couldn't get it to work. Does what I am doing looks OK? If not what is the correct way to do this?

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

41vJE0JxqY93LnOivp3x7hMBg lc 5R4,9n8 PyOqQ7s6D6Wu3zxCWGxS

搜尋此網誌

Ciugk