stackoom
  简体   繁体   中英

Proper way of using Clockskew in OWIN JWT OAuth

 原文  2018-07-27 00:05:04       c#/ asp.net/ jwt/ owin

Question

I have an application using following packages 

Autofac version="4.8.1" targetFramework="net471"
Autofac.Owin version="4.2.0" targetFramework="net471"
Autofac.WebApi2" version="4.2.0" targetFramework="net471"
Autofac.WebApi2.Owin" version="4.0.0" targetFramework="net471"
jose-jwt" version="2.4.0" targetFramework="net471"
Microsoft.AspNet.Cors" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Client" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Core" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Owin" version="5.2.6" targetFramework="net471"
Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="1.0.7" targetFramework="net471"
Microsoft.IdentityModel.Logging" version="5.2.4" targetFramework="net471"
Microsoft.IdentityModel.Tokens" version="5.2.4" targetFramework="net471"
Microsoft.Net.Compilers" version="2.1.0" targetFramework="net471"
Microsoft.Owin" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Cors" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Host.SystemWeb" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security.Jwt" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security.OAuth" version="3.1.0" targetFramework="net471"
Newtonsoft.Json" version="11.0.2" targetFramework="net471"
Owin" version="1.0" targetFramework="net471"
Serilog" version="2.7.1" targetFramework="net471"
Swashbuckle.Core" version="5.6.0" targetFramework="net471"
System.IdentityModel.Tokens.Jwt" version="4.0.4.403061554" targetFramework="net471"

Server is issuing tokens with expiry time of 20 minutes.

In resource server I have following configuration 

TokenValidationParameters tokenValidationParameters = new 
TokenValidationParameters()
{
     ClockSkew = TimeSpan.FromSeconds(_allowedClockDriftSeconds),
     IssuerSigningKey =   ...
     ValidateIssuer = true,
     ValidateAudience = true,
     RequireSignedTokens = true,
     ValidIssuer = "...",
     ValidAudience = "....",
 };

 app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
 {
      AuthenticationMode = AuthenticationMode.Active,
      AllowedAudiences = new[] { "ConsumerDataServices" },
      IssuerSecurityTokenProviders =  new IIssuerSecurityTokenProvider[]
      {...},
      TokenHandler = new JoseJwtTokenHandler(decryptionHandler, logger),
      TokenValidationParameters = tokenValidationParameters,
  });

Auth Server is issuing tokens as JWE Tokens. JoseJwtTokenHandler is overriding ReadToken to decrypt and return JWT Token,

Everything works find for 20 minutes. I Can see my claims in principal.Identity in AuthorizationFilterAttribut. But after 20 minutes authorization stops working as principal.Identity.IsAuthenticated is set to false and claims are empty. On debugging I can see that JoseJwtTokenHandler is working fine.

In my logs I can see following

Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Warning: 0 : expired bearer token received

Looking at code of Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler 

DateTimeOffset currentUtc = this.Options.SystemClock.UtcNow;
if (ticket.Properties.ExpiresUtc.HasValue && ticket.Properties.ExpiresUtc.Value < currentUtc)
{
    this._logger.WriteWarning("expired bearer token received");
    return (AuthenticationTicket) null;
}

It looks like OAuthBearerAuthenticationHandler is ignoring ClockSkew.

I have spent lot of time on it but couldn't get it to work. Does what I am doing looks OK? If not what is the correct way to do this?

1 answers

solution1
 0  2019-08-27 09:14:53

I just implemented the OWIN with JWT oAuth 2.0. I faced the same issue after debugging I came to know that I was not setting my token issuer server expire time. by default its time is 20 mins only. please set AccessTokenExpireTimeSpan in OAuthServerOptions to your required time then this will work as a charm. Following is my code snippets hope this helps. 

   public void ConfigureOAuth(IAppBuilder app)
    {
        var authuri = ConfigurationManager.AppSettings["AuthURL"];
        var timeout = Convert.ToInt32(ConfigurationManager.AppSettings["SessionTimeOut"]);
        var AllowInsecureHttp = Convert.ToBoolean(ConfigurationManager.AppSettings["AllowInsecureHttp"]);

        OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
        {
            //Todo by Hasan : For Dev enviroment only (on production should be AllowInsecureHttp = false)
            AllowInsecureHttp = AllowInsecureHttp,
            TokenEndpointPath = new PathString("/oauth2/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(timeout),
            Provider = new CustomOAuthProvider(),
            AccessTokenFormat = new CustomJwtFormat(authuri)
        };

        // OAuth 2.0 Bearer Access Token Generation
        app.UseOAuthAuthorizationServer(OAuthServerOptions);

    }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Authenticating with RSA using JWT on Owin Modifying OWIN OAuth middleware to use JWT bearer tokens Get custom claims from a JWT using Owin MVC with Owin JWT Identity Owin JWT 401 Unauthorized How to log authentication failure reasons when using OWIN and JWT? How to authenticate from Web API controller endpoint when implementing Identity 2.1 + OWIN OAuth JWT bearer token Oauth authentication with owin & Nancy Getting "error": "unsupported_grant_type" when trying to get a JWT by calling an OWIN OAuth secured Web Api via Postman Proper way of using Dictionary
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM