Exceptions from JwtSecurityTokenHandler

Question

I'm using Json Web Tokens for my ASP.NET Web API... and thinktectures identity model.

So within my web api Startup.cs I call the IdentityModelJwtBearerAuthenticationExtensions extension method as below:

app.UseJsonWebToken(
    issuer: Constants.IssuerName, 
    audience: Constants.Audience, 
    signingKey: Constants.SigningKey
);

I then decorate my API Controllers with AuthorizeAttribute.

Ok great thats fine! All good.

But when a token expires.... All I get is a 401 unauthorised.

I'll like to have the SecurityTokenValidationException ("Lifetime validation failed. The token is expired") from the JwtSecurityTokenHandler bubble up and be visible in the Web API.

How do I do that?

I've looked around and can't see the right direction to take.

Is it to do with the JwtBearerAuthenticationOptions?

Cheers for any wisdom.

score 0 · Accepted Answer · answered Jul 03 '14 at 06:03

0

That's not how Katana authentication middleware works. If validation fails, no principal gets populated and thus authorization will fail.

Also your web api cannot do anything about that, it is the client that needs to take appropriate actions. In OAuth it is also expected, that the client keeps track of expiration times.

answered Jul 03 '14 at 06:03

leastprivilege

18,196
1
34
50

Thanks for the response! So I should be checking whether a token has expired inside a custom authorization attribute at the Web API level? – Andrew Duffy Jul 03 '14 at 06:18
No. You can't distinguish between no token and an expired token. Why do you care? It is a client concern. – leastprivilege Jul 03 '14 at 06:34
the client being whoever is calling the webapi? – Andrew Duffy Jul 03 '14 at 06:47

Exceptions from JwtSecurityTokenHandler

1 Answers1