Bearer token Authorization
Question
I am having a problem with Identity Server 3 and bearer token authentication.
Basically, I can call my Web API methods with an expired access token and the Web API authenticates the user and returns the data.
I have set my client to have an access token lifetime of 360 seconds and this indeed is the case when I check the claim.
How do I go about ensuring my Web API cannot be called with an expired access token. Do I need to set something in my IdentityServerBearerTokenAuthenticationOptions ?
Thanks.
1 answers
solution1
0 2015-04-22 18:03:18
When the request comes in the very first thing we do is check if the identity is authenticated and that the authentication type is "Bearer".
private static bool RequestIsAuthenticated(HttpActionContext actionContext)
{
return (actionContext.RequestContext.Principal.Identity.AuthenticationType == "Bearer" && actionContext.RequestContext.Principal.Identity.IsAuthenticated);
}
If this returns false we return a HttpStatusCode.Unauthorized.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.