CODEWITHSUNDEEP
asp.net-web-apioauth-2.0jwt
jao
jao

Reputation: 18620

OAuth JWT access token expiration depending on type of client

I created a JWT token implementation based on Taiseer's tutorial.

The following code was added to my Owin startup class:

OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
    AllowInsecureHttp = HttpContext.Current.IsDebuggingEnabled,
    TokenEndpointPath = new PathString("/oauth2/token"),
    AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(90),
    Provider = new CustomOAuthProvider(),
    AccessTokenFormat = new CustomJwtFormat("http://example.com/")
};

Now there are different types of apps that use the API. For the web clients, a 90 minute expiration is good enough, but for mobile apps this is far too short.

Is there a way for the mobile apps to get a token expiration 1 year from now? I could use custom HTTP headers to differentiate between the types of apps. I tried to extend the expiration in the Protect method of my CustomJwtFormat class, which indeed allows for a larger expiration in the JWT. 

public class CustomJwtFormat : ISecureDataFormat<AuthenticationTicket> {

    public string Protect(AuthenticationTicket data) {
        ... emitted for brevity ...

        string appId = HttpContext.Current.Request.Headers.GetValues("my-custom-header").FirstOrDefault();
        if (appId == null)
            throw new ApplicationException("Application ID header is missing");

        if (appId.ToLower() == "mobileappheader") { 
            // set expiration to 1 year
            expires = DateTimeOffset.UtcNow.AddYears(1);
        }

        var token = new JwtSecurityToken(issuer, audienceId, data.Identity.Claims, 
                      issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingkey);

But in the authorization response, it still says 90 minutes:

{
    "access_token": "eyJ0eX...0CLY6jU",
    "token_type": "bearer",
    "expires_in": 5399
}

As you can see, expires_in is still set to the 90 minute timespan.

Upvotes: 1

Views: 2226

Answers (1)

jao
jao

Reputation: 18620

Although the response from the server indicates an expiry of 90 minutes, ASP.NET web api takes a look inside the ticket to determine the expiry time. So if I set it default to 90 minutes (in startup.cs) and to 1 year for my mobile apps, then my mobile apps will get a 1 year expiration.

Upvotes: 1

Related Questions