Best IT Recipes

Custom Life Check with AspNet.Security.OpenIdConnect.Server (ASP.NET vNext)

I am using Visual Studio 2015 Enterprise Update 1 and ASP.NET vNext rc1-update1 to issue and use JWT tokens as described here .

In our implementation, we want to control the validity of the token time.

We tried several approaches, all of which had undesirable side effects. For example, in one attempt, we applied the TokenValidationParameters.TokenValidationParameters.LifetimeValidator event in the Configure method:

app.UseJwtBearerAuthentication ( options => { options.TokenValidationParameters = new TokenValidationParameters() { LifetimeValidator = (DateTime? notBefore, DateTime? expires, SecurityToken securityToken, TokenValidationParameters validationParameters) => { // Pretend to do custom validation return false; } }; } );

This event leads to a verification failure, as we would like, but the client receives an error of 500, while we would like to return an error of the 400th series and a small payload.

In another attempt, we tried various implementations of TokenValidationParameters.Events, such as checking claims in the ValidatedToken event, but found that we could not prevent the middleware from using the controller action to throw an exception that returned us to the 500 problem.

So my questions are:

  • What are the best methods for checking life using OIDC?

  • Can we make OIDC not include certain life requirements in the token, such as "nbf", since we do not need them?

+1
asp.net-core jwt openid-connect
Dec 09 '15 at 21:20
source share
1 answer

Edit: This bug has been fixed in ASP.NET Core RC2. The workaround described in this answer is no longer needed.



This is a known bug . Unfortunately, the workaround you can use in beta8 no longer works in RC1 .

Your only option is to write middleware to catch the exception so that the server does not return a 500 response. Of course, this is ugly and could potentially hide important exceptions, but this is the only known workaround that works with RC1.

Here is an example (be sure to register it before the middleware of the JWT media):

 app.Use(next => async context => { try { await next(context); } catch { // If the headers have already been sent, you can't replace the status code. // In this case, throw an exception to close the connection. if (context.Response.HasStarted) { throw; } context.Response.StatusCode = 401; } });
+1
Dec 09 '15 at 22:14
source share


More articles:


All Articles