-1

I am using the hybrid flow with the refresh token. I want to limit the calls from my web server to my Auth/Resource servers i.e. unauthorized errors from the resource server and unnecessary updates of the access token

Question: Is there an expiry date on the access token or a way to add the expiry or issued date time to the Access token? I want to use this to test before refreshing the tokens.

I want to do this validation on the webserver. I just need the issued date on the access token

I do understand that the expiry date is not full proof and the token may still be invalid but I can cater for that scenario when it arises.

Thank you

David
  • 5,403
  • 15
  • 42
  • 72
  • Usually the JWT-middleware does that by default. How does your code look like? Who generated the token and how is it generated? – alsami Nov 12 '18 at 15:17
  • For which token do you want to validate the expiration? And you are talking client side? You want to check on the client if a token is still valid and only if otherwise then use the refresh token? –  Nov 12 '18 at 21:29
  • I have a web server, auth server and resource server. I want to validate the token on the webserver side before requesting data from the resource server. I want to validate the access token – David Nov 13 '18 at 08:00

2 Answers2

2

The web server is the client. The client can read the expiration time (which is already part of the access token) like this:

using System.IdentityModel.Tokens.Jwt;

public class HomeController : Controller
{

    public async Task<IActionResult> CallApiUsingUserAccessToken()
    {
        var accessToken = await HttpContext.GetTokenAsync("access_token");

        // Read expiration time
        var tokenHandler = new JwtSecurityTokenHandler();
        var jwtSecurityToken = tokenHandler.ReadJwtToken(accessToken);

        var validTo = jwtSecurityToken.ValidTo;

        // ...
    }
}

I've just added the lines concerning reading the expiration time. HomeController is part of the MvcClient project which is available in the 5_HybridFlowAuthenticationWithApiAccess sample.

  • Please have a look at https://stackoverflow.com/questions/53285495/stop-expired-access-token-from-retrieving-data-from-resource-server. Thank you – David Nov 13 '18 at 17:02
0

The client configuration allows for the following properties to be set regarding access token lifetime:

AccessTokenLifetime: Lifetime of access token in seconds

AbsoluteRefreshTokenLifetime: Max lifetime of a refresh token

RefreshTokenExpiration: Fixed time expiration (has both absolute and sliding options)

Here is the documentation around this: http://docs.identityserver.io/en/release/reference/client.html

user1011627
  • 1,741
  • 1
  • 17
  • 25
  • Is there at least a way for me to add an issued date to the access token? then I could use this to see when it will expire – David Nov 13 '18 at 07:24