我正在使用AspNet.Security.OpenIdConnect.Server来发出JWT令牌,并将AuthorizationCodeLifetime设置为30秒进行测试.这是我用来设置选项的代码片段
options.TokenEndpointPath = "/api/token";
options.AllowInsecureHttp = true;
options.AccesstokenHandler = new JwtSecurityTokenHandler();
options.SigningCredentials.Add(new SigningCredentials(signingKey,SecurityAlgorithms.HmacSha256));
options.AccesstokenLifetime = TimeSpan.FromSeconds(30);
options.AuthorizationCodeLifetime = TimeSpan.FromSeconds(30);
返回的令牌包含:
"expires_in": 30,
并且反序列化的令牌包含以下声明:
"nbf": 1476915220,"exp": 1476915250,"iat": 1476915220,
如您所见,exp(过期时间)是在iat(发布时间)之后30秒.然而,令牌在到期后5分钟才触发401 Unauthorized.如果我们将exp编号插入http://www.epochconverter.com/,那么我们将看到这个评估结果为2016年10月19日星期三格林尼治标准时间22:14:10,当地时间是下午5:14:10.
以下是Core库的一些记录输出:
Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation Failed. The token is expired. ValidTo: '10/19/2016 22:14:10' Current time: '10/19/2016 22:19:10'. at Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime(Nullable`1 notBefore,Nullable`1 expires,SecurityToken securityToken,TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateLifetime(Nullable`1 notBefore,JwtSecurityToken securityToken,TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.Validatetoken(String token,TokenValidationParameters validationParameters,SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext() info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[7] Bearer was not authenticated. Failure message: IDX10223: Lifetime validation Failed. The token is expired. ValidTo: '10/19/2016 22:14:10' Current time: '10/19/2016 22:19:10'.
当然,此输出并不能证明服务器在22:14:10和22:19:10之间接受令牌.如果我碰巧在它过期后等了5分钟然后尝试验证令牌,那就是它本来会做的,但是你必须接受我的话.我在Postman测试并且每秒点击“发送”直到它返回401.
那么这是什么一回事?是否有一些我不知道的内置缓冲区?有趣的是,AccesstokenLifetime的默认值是5分钟,但令牌肯定反映我已将其更改为30秒.这是怎么回事?
我正在使用的相关库:
<package id="AspNet.Security.OpenIdConnect.Extensions" version="1.0.0-beta6-final" targetFramework="net452" /> <package id="AspNet.Security.OpenIdConnect.Server" version="1.0.0-beta6-final" targetFramework="net452" /> <package id="Microsoft.AspNetCore.Authentication.JwtBearer" version="1.0.0" targetFramework="net452" />
解决方法
So,what’s up? Is there some 5 minute buffer built in that I’m not aware of? What’s going on?
你称之为“缓冲区”的实际上是由JWT承载中间件(由微软开发)提供的内置功能,它被称为“时钟偏差”,旨在减轻网络农场中时钟失步的影响.
正如您所知,the default value is set to 5 minutes,但它可以通过JwtBearerOptions.TokenValidationParameters.ClockSkew更改.
