Can I configure DotNetOpenAuth request token expiration?

Question

In our API we implemented DotNetOpenAuth (v3.4.7). We frequently receive the exception "A token in the message was not recognized by the service provider", along with this stack trace:

   at DotNetOpenAuth.Messaging.ErrorUtilities.VerifyProtocol(Boolean condition, String message, Object[] args)
   at DotNetOpenAuth.Messaging.ErrorUtilities.ThrowProtocol(String message, Object[] args)
   at DotNetOpenAuth.OAuth.ChannelElements.TokenHandlingBindingElement.VerifyThrowTokenTimeToLive(ITokenContainingMessage message)
   at DotNetOpenAuth.OAuth.ChannelElements.TokenHandlingBindingElement.ProcessIncomingMessage(IProtocolMessage message)
   at DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(IProtocolMessage message)

Just recently I discovered this exception is thrown when people take too long authorize their request token. So the time between step 1 and step 2 of the authorization process is too long.

Can this time be configured in the web.config or programmatically?

Note: I tried messaging lifetime="00:30:00" but that does not seem to influence what I'm aiming for.

Answer 1

Two factors go into possibly producing this error:

1. IServiceProviderTokenManager.GetRequestToken throws a KeyNotFoundException, OR
2. The token is older than the timeout specified in your web.config file's dotNetOpenAuth/oauth/serviceProvider/security/@maxAuthorizationTime setting.

For example:

<dotNetOpenAuth>
    <oauth>
        <serviceProvider>
            <security maxAuthorizationTime="00:05:00"/>
        </serviceProvider>
    </oauth>
</dotNetOpenAuth>