Proper way of using Clockskew in OWIN JWT OAuth

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP


Proper way of using Clockskew in OWIN JWT OAuth



I have an application using following packages


Autofac version="4.8.1" targetFramework="net471"
Autofac.Owin version="4.2.0" targetFramework="net471"
Autofac.WebApi2" version="4.2.0" targetFramework="net471"
Autofac.WebApi2.Owin" version="4.0.0" targetFramework="net471"
jose-jwt" version="2.4.0" targetFramework="net471"
Microsoft.AspNet.Cors" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Client" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Core" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Owin" version="5.2.6" targetFramework="net471"
Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="1.0.7" targetFramework="net471"
Microsoft.IdentityModel.Logging" version="5.2.4" targetFramework="net471"
Microsoft.IdentityModel.Tokens" version="5.2.4" targetFramework="net471"
Microsoft.Net.Compilers" version="2.1.0" targetFramework="net471"
Microsoft.Owin" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Cors" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Host.SystemWeb" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security.Jwt" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security.OAuth" version="3.1.0" targetFramework="net471"
Newtonsoft.Json" version="11.0.2" targetFramework="net471"
Owin" version="1.0" targetFramework="net471"
Serilog" version="2.7.1" targetFramework="net471"
Swashbuckle.Core" version="5.6.0" targetFramework="net471"
System.IdentityModel.Tokens.Jwt" version="4.0.4.403061554" targetFramework="net471"



Server is issuing tokens with expiry time of 20 minutes.



In resource server I have following configuration


TokenValidationParameters tokenValidationParameters = new
TokenValidationParameters()
{
ClockSkew = TimeSpan.FromSeconds(_allowedClockDriftSeconds),
IssuerSigningKey = ...
ValidateIssuer = true,
ValidateAudience = true,
RequireSignedTokens = true,
ValidIssuer = "...",
ValidAudience = "....",
};

app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new { "ConsumerDataServices" },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider
{...},
TokenHandler = new JoseJwtTokenHandler(decryptionHandler, logger),
TokenValidationParameters = tokenValidationParameters,
});



Auth Server is issuing tokens as JWE Tokens. JoseJwtTokenHandler is overriding ReadToken to decrypt and return JWT Token,



Everything works find for 20 minutes. I Can see my claims in principal.Identity in AuthorizationFilterAttribut. But after 20 minutes authorization stops working as principal.Identity.IsAuthenticated is set to false and claims are empty. On debugging I can see that JoseJwtTokenHandler is working fine.



In my logs I can see following



Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Warning: 0 : expired bearer token received



Looking at code of Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler


DateTimeOffset currentUtc = this.Options.SystemClock.UtcNow;
if (ticket.Properties.ExpiresUtc.HasValue && ticket.Properties.ExpiresUtc.Value < currentUtc)
{
this._logger.WriteWarning("expired bearer token received");
return (AuthenticationTicket) null;
}



It looks like OAuthBearerAuthenticationHandler is ignoring ClockSkew.



I have spent lot of time on it but couldn't get it to work. Does what I am doing looks OK? If not what is the correct way to do this?









By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

Visual Studio Code: How to configure includePath for better IntelliSense results

Image
Clash Royale CLAN TAG #URR8PPP Visual Studio Code: How to configure includePath for better IntelliSense results so I am a complete beginner to using Visual Studio Code and I have no clue what I am doing. I've searched around (maybe not enough), but I cant find just a simple explanation for someone like me on how to configure the c_cpp_properties.json file that I am redirected to whenever I click on the yellow lightbulb next to a line that is underlined with a green squiggle. Lightbulb example c_cpp_properties.json I just want to know what to put in the .json to make IntelliSense work properly This question has answers that may be good or bad; the system has marked it active so that they can be reviewed. 2 Answers 2 From: https://code.visualstudio.com/docs/languages/cpp Below you can see that the MinGW C++ include path has been added to browse.path for Windows: { "name": "Win32...
Read more

Spring cloud config client Could not locate PropertySource

Image
Clash Royale CLAN TAG #URR8PPP Spring cloud config client Could not locate PropertySource My config server use natie file system works fine and the dev profile configured contextPath: /config spring: application: name: dcit-config profiles: active: native management: endpoints: web: exposure: include: info, health, metrics metrics: export: atlas: enabled: true --- spring: profiles: native application: name: dcit-config cloud: config: server: native: searchLocations: classpath:/config/ server: port: 2003 eureka: instance: prefer-ip-address: true lease-renewal-interval-in-seconds: 5 lease-expiration-duration-in-seconds: 20 client: serviceUrl: defaultZone: http://dcit:dcit@localhost:1023/eureka registry-fetch-interval-seconds: 10 --- spring: profiles: dev application: name: dcit-config cloud: config: server: git: uri: http://xxx/gi...
Read more

Current 93

Image
Current 93 Current 93 in 2006 Background information Origin London, England, United Kingdom Genres Apocalyptic folk, experimental, post-industrial, psychedelic folk, progressive folk, Christian music Years active 1982–present Labels Coptic Cat Durtro United Dairies Jnana L.A.Y.L.A.H. Antirecords Beta-lactam Ring Records Members David Tibet Steven Stapleton Michael Cashmore Past members Douglas P. Rose McDowall Christoph Heemann William Breeze Current 93 are a British experimental music group, working since the early 1980s in folk-based musical forms. The band was founded in 1982 [1] by David Tibet (né David Michael Bunting, renamed 'Tibet' by Genesis P-Orridge [2] some time prior to forming the group). Contents 1 Background 2 Discography 2.1 Primary, full-length, Current 93 studio albums 2.2 Full discography 2.3 Compilation appearances 2.4 Current 93 Presents releases 3 Sheet music 4 See also 5 References 6 External links Background Tibet has been the only constan...
Read more