All geek questions in one place

Identity Server 3 upgrade identifier expires before it expires in client configuration

I use an authorization code stream for one of my Identity Server 3 clients and is configured as follows:

ClientId = "tripgalleryauthcode", ClientName = "Trip Gallery", Flow = Flows.AuthorizationCode, AllowAccessToAllScopes = true, RequireConsent = false, // redirect = URI of our callback controller in the IOS application RedirectUris = new List<string> { "somecallbackuri" }, ClientSecrets = new List<Secret>() { "somesecret" }, // refresh token options AccessTokenType = AccessTokenType.Jwt, AccessTokenLifetime = 120, RefreshTokenUsage = TokenUsage.OneTimeOnly, RefreshTokenExpiration = TokenExpiration.Absolute, AbsoluteRefreshTokenLifetime = 360,

As you can see, it is configured to expire the access token after 2 minutes and the update token in 6 minutes. I did this because I wanted to try to debug the problem in a smaller time frame instead of the one I use in the production process: 15 days for the update token, 1 hour for the access token. We noticed that for some reason, the updated token released today does not work tomorrow. This is why I decided to reduce the time, and it happened:

  • At 1:05 pm I made an update token request and received new updates and access tokens
  • Now I expect the update token to update at 13:11
  • At 1:10 pm, I make a token endpoint call using grant type refresh_token trying to gain new access and update tokens. What happens is that I get an HTTP 400 error message: this is not valid.

I noticed a little more. It happens that 2 minutes after the expiration of the access token, I get an error of 400. He says that the update token is invalid.

This is a log from the identity server.

 w3wp.exe Information: 0 : 2016-11-23 10:56:15.802 +00:00 [Information] Start token request w3wp.exe Information: 0 : 2016-11-23 10:56:15.802 +00:00 [Information] Client secret id found: "tripgalleryauthcode" w3wp.exe Information: 0 : 2016-11-23 10:56:15.802 +00:00 [Information] Client validation success w3wp.exe Information: 0 : 2016-11-23 10:56:15.802 +00:00 [Information] Start token request validation w3wp.exe Information: 0 : 2016-11-23 10:56:15.802 +00:00 [Information] Start validation of refresh token request w3wp.exe Warning: 0 : 2016-11-23 10:56:15.802 +00:00 [Warning] "Refresh token has expired" "{ \"ClientId\": \"tripgalleryauthcode\", \"ClientName\": \"Trip Gallery\", \"GrantType\": \"refresh_token\", \"RefreshToken\": \"d12f50289e5cded13082de989a64ac01\", \"Raw\": { \"grant_type\": \"refresh_token\", \"refresh_token\": \"d12f50289e5cded13082de989a64ac01\" } }" w3wp.exe Information: 0 : 2016-11-23 10:56:15.818 +00:00 [Information] End token request w3wp.exe Information: 0 : 2016-11-23 10:56:15.818 +00:00 [Information] Returning error: invalid_grant

I would really like to know why this behavior and what my expiration token ends before the expiration date.

+5
source share
1 answer

The reason this happens is because the JWT has a built-in clock skew function that protects you from synchronizing clocks. Without this, you may run into problems when the tokens are not yet valid.

The default value for this is 5 minutes - this affects access_token as well as refresh_token .

You can change this value using JwtBearerOptions.TokenValidationParameters.ClockSkew , in IdentityServer4.AccessTokenValidation.CombinedAuthenticationOptions

This behavior is also indicated in the official JWT project :

Performers MAY provide little discretion, usually no more than a few minutes, to allow for clock skewing. Its value MUST be a number containing the IntDate value. This requirement is OPTIONAL.

+1
source

Source: https://habr.com/ru/post/1260207/

More articles:


All Articles