Yanick Tourn
Reputation: 83
.net core 2.0 JWT token expired issue
I'm having a very weird issue that is literally driving me nuts and doesn't make any sense to me.
Let me explain it: I have a .NET Core 2.0 Web API that is being consumed by an Angular 5 client. The web api is hosted in an Azure AppService. Authentication is via JWT Bearer tokens using AspnetCore.Authentication.JWTBearer (currently on version 2.0.1) The application creates the JWT token fine in the the auth/login endpoint. Then the client is able to authenticate in the following calls just fine.
However, even though I specify a timespan of 1080 minutes (a week) of the token, after around 8 hours let's say the token is no longer valid. I can leave with that, (actually I started specifying the token to be valid for a couple of hours) however once the token is expired... and here's where the weird stuff comes along, the application issues a new token after the user is logged in again, but the new tokens don't authenticate saying token has expired!, how can it be expired if it was just created. (I have doubled check and the new received token is being sent to the server, not the old one).
Furthermore, if I just restart the app service in Azure, then everything goes back to normal again, and new issued jwt tokens are accepted. I thought that it could be an issue regarding the clock between Azure's server and something else, so I removed the ClockSkew property and left it at 5 minutes that is its default value, but with no luck.
I don't know what is causing this strange behaviour, but is causing my app to be useless at some moment during the day, unless I enter Azure and restart the app service.
My code is below, but I'm starting to think it can be a bug related with .net core and Azure?
Do you see anything wrong? Thanks for your help!
This is my startup.cs class
public class Startup
{
private string connectionString;
private const string SecretKey = "iNivDmHLpUA223sqsfhqGbMRdRj1PVkH";
// todo: get this from somewhere secure
private readonly SymmetricSecurityKey _signingKey = new
SymmetricSecurityKey(Encoding.ASCII.GetBytes(SecretKey));
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
connectionString = Configuration.GetSection("ConnectionString:Value").Value;
Console.WriteLine("Connection String: " + connectionString);
services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(connectionString));
//Initialize the UserManager instance and configuration
services.AddIdentity<AppUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
services.TryAddTransient<IHttpContextAccessor, HttpContextAccessor>();
// add identity
var builder = services.AddIdentityCore<AppUser>(o =>
{
// configure identity options
o.Password.RequireDigit = true;
o.Password.RequireLowercase = true;
o.Password.RequireUppercase = true;
o.Password.RequireNonAlphanumeric = true;
o.Password.RequiredLength = 6;
});
builder = new IdentityBuilder(builder.UserType, typeof(IdentityRole), builder.Services);
builder.AddEntityFrameworkStores<ApplicationDbContext>().AddDefaultTokenProviders();
//START JWT CONFIGURATION
services.AddSingleton<IJwtFactory, JwtFactory>();
// Get options from app settings
var jwtAppSettingOptions = Configuration.GetSection(nameof(JwtIssuerOptions));
// Configure JwtIssuerOptions
services.Configure<JwtIssuerOptions>(options =>
{
options.Issuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)];
options.Audience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)];
options.SigningCredentials = new SigningCredentials(_signingKey, SecurityAlgorithms.HmacSha256);
});
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)],
ValidateIssuerSigningKey = true,
IssuerSigningKey = _signingKey,
ValidateAudience = true,
ValidAudience = jwtAppSettingOptions[nameof(JwtIssuerOptions.Audience)],
RequireExpirationTime = false,
// ValidateLifetime = true,
// ClockSkew = TimeSpan.Zero //default son 5 minutos
};
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(configureOptions =>
{
configureOptions.ClaimsIssuer = jwtAppSettingOptions[nameof(JwtIssuerOptions.Issuer)];
configureOptions.TokenValidationParameters = tokenValidationParameters;
configureOptions.SaveToken = true;
});
// api user claim policy
// Enables [Authorize] decorator on controllers.
//more information here: https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.1
services.AddAuthorization(options =>
{
options.AddPolicy("ApiUser", policy => policy.RequireClaim(Constants.Strings.JwtClaimIdentifiers.Rol, Constants.Strings.JwtClaims.ApiAccess));
});
//END JWT CONFIGURATION
// Register the Swagger generator, defining one or more Swagger documents
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info
{
Title = Configuration.GetSection("Swagger:Title").Value,
Version = "v1"
});
});
//Initialize auto mapper
services.AddAutoMapper();
services.AddCors();
//Initialize MVC
services.AddMvc();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env,
UserManager<AppUser> userManager, RoleManager<IdentityRole> roleManager)
{
var cultureInfo = new CultureInfo("es-AR");
//cultureInfo.NumberFormat.CurrencySymbol = "€";
CultureInfo.DefaultThreadCurrentCulture = cultureInfo;
CultureInfo.DefaultThreadCurrentUICulture = cultureInfo;
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseExceptionHandler(
builder =>
{
builder.Run(
async context =>
{
context.Response.StatusCode = (int)HttpStatusCode.InternalServerError;
context.Response.Headers.Add("Access-Control-Allow-Origin", "*");
var error = context.Features.Get<IExceptionHandlerFeature>();
if (error != null)
{
context.Response.AddApplicationError(error.Error.Message);
await context.Response.WriteAsync(error.Error.Message).ConfigureAwait(false);
}
});
});
// Enable middleware to serve generated Swagger as a JSON endpoint.
app.UseSwagger();
// Enable middleware to serve swagger-ui (HTML, JS, CSS, etc.), specifying the Swagger JSON endpoint.
app.UseSwaggerUI(c =>
{
c.SwaggerEndpoint(
Configuration.GetSection("Swagger:Endpoint").Value,
Configuration.GetSection("Swagger:Title").Value);
});
app.UseAuthentication();
//Loads initial users and roles.
if (Configuration["seed"] == "true")
{
Console.WriteLine("Seeding database with connection string: " + connectionString);
Console.WriteLine();
IdentityDataInitializer.SeedData(userManager, roleManager);
Console.WriteLine("Finished seeding");
}
else
{
Console.WriteLine("seeding not configured");
}
app.UseDefaultFiles();
app.UseStaticFiles();
// Shows UseCors with CorsPolicyBuilder.
app.UseCors(builder =>
builder.WithOrigins(Configuration.GetSection("AllowedOrigins:Origin1").Value,
Configuration.GetSection("AllowedOrigins:Origin2").Value)
.AllowAnyHeader()
.AllowAnyMethod() //Permite también PREFLIGHTS / OPTIONS REQUEST!
);
Console.WriteLine("Allowed origin: " + Configuration.GetSection("AllowedOrigins:Origin1").Value);
Console.WriteLine("Allowed origin: " + Configuration.GetSection("AllowedOrigins:Origin2").Value);
app.UseMvc();
}
}
This is my JwtIssuerOptions.cs
public class JwtIssuerOptions
{
/// <summary>
/// 4.1.1. "iss" (Issuer) Claim - The "iss" (issuer) claim identifies the principal that issued the JWT.
/// </summary>
public string Issuer { get; set; }
/// <summary>
/// 4.1.2. "sub" (Subject) Claim - The "sub" (subject) claim identifies the principal that is the subject of the JWT.
/// </summary>
public string Subject { get; set; }
/// <summary>
/// 4.1.3. "aud" (Audience) Claim - The "aud" (audience) claim identifies the recipients that the JWT is intended for.
/// </summary>
public string Audience { get; set; }
/// <summary>
/// 4.1.4. "exp" (Expiration Time) Claim - The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
/// </summary>
public DateTime Expiration => IssuedAt.Add(ValidFor);
/// <summary>
/// 4.1.5. "nbf" (Not Before) Claim - The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.
/// </summary>
public DateTime NotBefore { get; set; } = DateTime.UtcNow;
/// <summary>
/// 4.1.6. "iat" (Issued At) Claim - The "iat" (issued at) claim identifies the time at which the JWT was issued.
/// </summary>
public DateTime IssuedAt { get; set; } = DateTime.UtcNow;
/// <summary>
/// Set the timespan the token will be valid for (default is 120 min)
/// </summary>
public TimeSpan ValidFor { get; set; } = TimeSpan.FromMinutes(1080);//una semana
/// <summary>
/// "jti" (JWT ID) Claim (default ID is a GUID)
/// </summary>
public Func<Task<string>> JtiGenerator =>
() => Task.FromResult(Guid.NewGuid().ToString());
/// <summary>
/// The signing key to use when generating tokens.
/// </summary>
public SigningCredentials SigningCredentials { get; set; }
}
Token.cs class that sends the json with the token to the client
public class Tokens
{
public static async Task<object> GenerateJwt(ClaimsIdentity identity, IJwtFactory jwtFactory, string userName, JwtIssuerOptions jwtOptions, JsonSerializerSettings serializerSettings)
{
var response = new
{
id = identity.Claims.Single(c => c.Type == "id").Value,
auth_token = await jwtFactory.GenerateEncodedToken(userName, identity),
expires_in = (int)jwtOptions.ValidFor.TotalSeconds
};
return response;
//return JsonConvert.SerializeObject(response, serializerSettings);
}
}
AuthController.cs
[Produces("application/json")]
[Route("api/[controller]")]
public class AuthController : Controller
{
private readonly UserManager<AppUser> _userManager;
private readonly IJwtFactory _jwtFactory;
private readonly JwtIssuerOptions _jwtOptions;
private readonly ILogger _logger;
public AuthController(UserManager<AppUser> userManager,
IJwtFactory jwtFactory,
IOptions<JwtIssuerOptions> jwtOptions,
ILogger<AuthController> logger)
{
_userManager = userManager;
_jwtFactory = jwtFactory;
_jwtOptions = jwtOptions.Value;
_logger = logger;
}
// POST api/auth/login
[HttpPost("login")]
public async Task<IActionResult> Post([FromBody]CredentialsViewModel credentials)
{
try
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
var identity = await GetClaimsIdentity(credentials.UserName, credentials.Password);
if (identity == null)
{
// Credentials are invalid, or account doesn't exist
_logger.LogInformation(LoggingEvents.InvalidCredentials, "Invalid Credentials");
return BadRequest(Errors.AddErrorToModelState("login_failure", "Invalid username or password.", ModelState));
}
var jwt = await Tokens.GenerateJwt(identity, _jwtFactory, credentials.UserName, _jwtOptions, new JsonSerializerSettings { Formatting = Formatting.Indented });
CurrentUser cu = Utils.GetCurrentUserInformation(identity.Claims.Single(c => c.Type == "id").Value, _userManager).Result;
if (cu != null)
{
cu.Jwt = jwt;
return new OkObjectResult(cu);
}
return StatusCode(500);
}
catch (System.Exception ex)
{
_logger.LogError(LoggingEvents.GenericError, ex.Message);
return StatusCode(500, ex);
}
}
private async Task<ClaimsIdentity> GetClaimsIdentity(string userName, string password)
{
try
{
if (string.IsNullOrEmpty(userName) || string.IsNullOrEmpty(password))
return await Task.FromResult<ClaimsIdentity>(null);
// get the user to verifty
ILogicUsers lusers = Business.UsersLogic(_userManager);
AppUser userToVerify = await lusers.FindByNameAsync(userName);
if (userToVerify == null)
return await Task.FromResult<ClaimsIdentity>(null);
// check the credentials
if (await lusers.CheckPasswordAsync(userToVerify, password))
{
return await Task.FromResult(_jwtFactory.GenerateClaimsIdentity(userName, userToVerify.Id));
}
// Credentials are invalid, or account doesn't exist
_logger.LogInformation(LoggingEvents.InvalidCredentials, "Invalid Credentials");
return await Task.FromResult<ClaimsIdentity>(null);
}
catch
{
throw;
}
}
}
Upvotes: 3
Views: 8874
Answers (1)
Yanick Tourn
Reputation: 83
Well, I think i figured out the problem.
The IssuedAt property was static, and was taking the first time generated token value. When the token was expired, then a new one was generated but taking the issuedAt date of the first one, and that's why all new generated tokens were expired. Restarting the AppService in Azure caused the static value to be cleared and the first new token was correctly created.
This is the correct line.
public DateTime IssuedAt => DateTime.UtcNow;
Thanks for your help!
Upvotes: 4
Related Questions
- JWT Token authentication, expired tokens still working, .net core Web Api
- JWT Token is expired or not?
- JWT Token Forcefully expire in asp.net core 3.1
- .NetCore JwtBearerAuthentication not rejecting expired tokens
- JwtSecurityToken Expiry Time Invalid .NET Core 3.1
- .NET Core - JWT - SecurityTokenNoExpirationException
- JWT expires too fast in .NET Core Web API
- JWT token expiration not working in Asp.Net Core API?
- .NET Core Jwt Token always expired when trying to access Authorized area
- ASP NET Core JWT authentication allows expired tokens