What is the correct method of setting the expiry of an access token in the Implicit Flow in IdentityServer4?

Question

I have tried to set the AccessTokenLifetime propery for my Implicit Client to be 90seconds. The client is a javascript application.

However, the client is still able to access the api scope "api1" for around 5 minutes after the token should have expired.

This is the code for the client configuration in IdentityServer4:

// JavaScript Client
            new Client
            {
                ClientId = "js",
                ClientName = "JavaScript Client",
                AllowedGrantTypes = GrantTypes.Implicit,
                AllowAccessTokensViaBrowser = true,

                RedirectUris = { "http://localhost:5003/callback.html" },
                PostLogoutRedirectUris = { "http://localhost:5003/index.html" },
                AllowedCorsOrigins = { "http://localhost:5003" },

                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "api1"
                },
                AccessTokenLifetime = 90
            }

I'm using the Javascript quickstart solution from the IdentityServer github repo here https://github.com/IdentityServer/IdentityServer4.Samples/tree/release/Quickstarts/7_JavaScriptClient

Answer 1

There is a clock skew in the Microsoft JWT validation middleware. It is set by default to 5 mins and cannot be less. Otherwise - the suggested lifetime of an access token is as short as possible. Especially in the client side clients, where you are exposing it to the browser. So your best solution - leave it as default (300 seconds/5 minutes).

Check this topic - there is a good discussion around this.