Azure Mobile Apps, Authorization works, but token expiration doesn't work

Question

I am using custom authentication and generating a JWT token.

When I post to any service, any authorization attribute say [Authorize(Roles = "Admin")] is respected and users who don't have this role are getting an authorisation error (good!). This highlights to me that the token generation and posting back works!

However, when a token expires, nothing happens. And it is treated as a valid token while I should be getting some sort of exception, my code is this:

app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions()
{
    SigningKey = ConfigurationManager.AppSettings["authSigningKey"],
    ValidAudiences = new[] { ConfigurationManager.AppSettings["authAudience"] },
    ValidIssuers = new[] { ConfigurationManager.AppSettings["authIssuer"] },
    TokenHandler = config.GetAppServiceTokenHandler()
});

And:

JwtSecurityToken token = AppServiceLoginHandler.CreateToken(
new Claim[] { new 
Claim(JwtRegisteredClaimNames.Sub, assertion["username"]) },
                mySigningKey,
                myAppURL,
                myAppURL,
                // Setting very short time to test expiration
                TimeSpan.FromSeconds(10));

I am testing locally and I am expecting an error being sent to the client stating an expired token. What am I doing wrong?

Answer 1

There is a 5-minute expiration grace period to account for clock-skew. I'm guessing that you're sending this token sometime after the 10 seconds but before the 5 minute grace period expires. Try waiting for longer than 5 minutes to confirm whether the token has expired.

Answer 2

When a token expires, nothing happens directly. When you first try to use that token, you should get a 401 Unauthorized error for any endpoint using the [Authorize] attribute. That's because the token you are submitting is no longer valid.