Reputation: 750
OWIN OAuth 2.0 - Bearer Token Never Expire
I'm using the following OAuth provider and options:
UserManagerFactory = () => new UserManager<IdentityUser>(new UserStore<IdentityUser>(new ApplicationDbContext()));
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory),
AuthorizeEndpointPath = new PathString("/api/AccountOwin/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(2),
AllowInsecureHttp = true
};
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);
The Oauth Provider class comes from the below link: https://github.com/gustavo-armenta/BearerTokenAuthenticationSample/blob/master/BearerTokenAuthenticationSample/Providers/ApplicationOAuthProvider.cs
I want to implement Refresh token provider and because of this I set the expiration time to 2 minutes. But I noticed that the WEB API alows the acces to the resources even after 2 minutes.
Thanks in advance!
Upvotes: 3
Views: 5127
Answers (2)
Reputation: 11
We had the same problem. In our case it turned out to be that the authentication server was built with web api 2.0 and the resource server was web api 2.2. We built the authentication server first. Then built the resource server. By the time we built the resource server and added the Nuget packages, we got web api 2.2. Upgrading the packages to the new versions on the authentication server and redeploying solved our problem.
Upvotes: 1
Reputation: 3221
I had this problem because I'd forgotten to configure WebAPI correctly. Adding the following code into my WebApiConfig Register() method solved it.
// Web API configuration and services
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
I found this in the sample I used and it's also mentioned in this post.
Upvotes: 2
Related Questions
- OAuth2 WebApi Token Expiration
- Store owin oauth bearer token
- ASP .NET Web Api OAuth refresh token expiration time
- Bearer token that never expires
- OWIN ASP.NET - Cant generate Access Token using Refresh Token if Access Token is expired
- Web Api Token Expiration Error
- Disable token expiration in Owin
- Owin Token expires even after continuous activity with server
- Web api owin OAuth 2.0 sliding expiration
- Asp.net OWIN Identity refresh tokens and token expiration