0

I am having a problem with Identity Server 3 and bearer token authentication.

Basically, I can call my Web API methods with an expired access token and the Web API authenticates the user and returns the data.

I have set my client to have an access token lifetime of 360 seconds and this indeed is the case when I check the claim.

How do I go about ensuring my Web API cannot be called with an expired access token. Do I need to set something in my IdentityServerBearerTokenAuthenticationOptions?

Thanks.

TotPeRo
  • 6,561
  • 4
  • 47
  • 60
Adam Jasper
  • 1
  • 1
  • Are you checking if the principal identity on the request context is authenticated? – Dan H Apr 22 '15 at 18:00
  • @DanH Yes, and it is authenticated, that being the problem. I would have thought if the token had expired the user would not be authenticated. For the time being, until I get time to figure it out, I am just going to write an action filter that checks the expiry date of the access token and returns a 401 if the token has expired. – Adam Jasper Apr 23 '15 at 07:17
  • Interesting...can you add your token configuration code to the question? – Dan H Apr 23 '15 at 12:40
  • 2
    It seems Identity Server is validating an expired access token, however, not exactly at the time it expires. It seems to be adding five or six minutes to the expiry date before it is deemed to be expired. There is a clock skew property you can set as part of the config, however, this seems to be ignored. I ended up creating an action filter to return a 401 if the access token has expired. – Adam Jasper Apr 24 '15 at 13:10

1 Answers1

0

When the request comes in the very first thing we do is check if the identity is authenticated and that the authentication type is "Bearer". 

    private static bool RequestIsAuthenticated(HttpActionContext actionContext)
    {
        return (actionContext.RequestContext.Principal.Identity.AuthenticationType == "Bearer" && actionContext.RequestContext.Principal.Identity.IsAuthenticated);
    }

If this returns false we return a HttpStatusCode.Unauthorized.

Dan H
  • 1,828
  • 2
  • 21
  • 38