Reputation: 2848
ASP.NET Core and JWT token lifetime
I utilize ASP.NET Core 2.1.1
It is interesting that the expiration time is only being taken into account when one provides both ClockSkew - in Startup.cs and JwtSecurityTokenHandler.TokenLifetimeInMinutes - in a controller.
For instance:
services
.AddJwtBearer(x =>
{
...
x.TokenValidationParameters = new TokenValidationParameters()
{
ClockSkew = TimeSpan.FromMinutes(90),
...
plus
...
public async Task<AuthenticateOutput> Authenticate([FromBody] AuthenticateInput input)
{
var tokenHandler = new JwtSecurityTokenHandler();
tokenHandler.TokenLifetimeInMinutes = (int)TimeSpan.FromMinutes(90).TotalMinutes;
...
If I remove tokenHandler.TokenLifetimeInMinutes = (int)TimeSpan.FromMinutes(90).TotalMinutes;
part - the default expiration time is used.
It seems to me that tokenHandler.TokenLifetimeInMinutes is still redundant and I just misunderstand the concept of how to set the expiration time correctly.
I also tried adding expiration claim - new Claim(ClaimTypes.Expiration, ...) - but that didn't have much effect.
Upvotes: 14
Views: 28156
Answers (2)
Reputation: 194
//reading the key from config
//reading the issuer from config
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["Jwt:Key"]));
var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(configuration["Jwt:Issuer"], configuration["Jwt:Issuer"],
null, expires: DateTime.Now.AddMinutes(60),
signingCredentials: credentials); //60mins expiration
string newToken = new JwtSecurityTokenHandler().WriteToken(token);
Upvotes: 0
Reputation: 9195
ClockSkew property isn't about expiration itself, it compensates for clock skew.
To setup token expiration you have to specify it on token creation:
new JwtSecurityToken(
...
expires: DateTime.UtcNow.AddMinutes(90),
....);
and the following code will give you string with token:
var token = new JwtSecurityToken() { /* setup your token setting here*/ }
var tokenString = new JwtSecurityTokenHandler().WriteToken(token);
Upvotes: 30
Related Questions
- How to force expire a JWT token in ASP.Net Core?
- JWT Token authentication, expired tokens still working, .net core Web Api
- JWT Token is expired or not?
- JWT Token Forcefully expire in asp.net core 3.1
- ASP.NET Core 3.1 - How to persist JWT Tokens once Authenticated
- JWT token expiration not working in Asp.Net Core API?
- Can't restrict the lifetime of a JWT token in .NET Core
- jwt token expiration time (asp.net core)
- JWT Expire Behavior
- ASP NET Core JWT authentication allows expired tokens