ASP.NET Core and JWT token lifetime

Question

I utilize ASP.NET Core 2.1.1

It is interesting that the expiration time is only being taken into account when one provides both ClockSkew - in Startup.cs and JwtSecurityTokenHandler.TokenLifetimeInMinutes - in a controller.

For instance:

services
  .AddJwtBearer(x =>
  {
      ...
      x.TokenValidationParameters = new TokenValidationParameters()
      {
         ClockSkew = TimeSpan.FromMinutes(90),
         ...

plus

...
public async Task<AuthenticateOutput> Authenticate([FromBody] AuthenticateInput input)
{
   var tokenHandler = new JwtSecurityTokenHandler();
   tokenHandler.TokenLifetimeInMinutes = (int)TimeSpan.FromMinutes(90).TotalMinutes;
   ...

If I remove tokenHandler.TokenLifetimeInMinutes = (int)TimeSpan.FromMinutes(90).TotalMinutes; part - the default expiration time is used.

It seems to me that tokenHandler.TokenLifetimeInMinutes is still redundant and I just misunderstand the concept of how to set the expiration time correctly.

I also tried adding expiration claim - new Claim(ClaimTypes.Expiration, ...) - but that didn't have much effect.

https://stackoverflow.com/questions/51334572/jwt-token-expiration-time-asp-net-core/51334821 — Adam Bickels, Jul 15 '18 at 06:18

Alex Riabov · Accepted Answer · 2018-07-15T09:53:44.903

30

ClockSkew property isn't about expiration itself, it compensates for clock skew.

To setup token expiration you have to specify it on token creation:

new JwtSecurityToken(
                ...
                expires: DateTime.UtcNow.AddMinutes(90),
                ....);

and the following code will give you string with token:

var token = new JwtSecurityToken() { /* setup your token setting here*/ }
var tokenString = new JwtSecurityTokenHandler().WriteToken(token);

edited Jul 15 '18 at 09:53

answered Jul 15 '18 at 09:46

Alex Riabov

8,655
5
47
48

Thanks Alex, well played! Tested it several times trying different intervals - works. – Alex Herman Jul 15 '18 at 11:00
3

How to avoid expiration? I have tried deleting expiry property but still it expires around 1 hour – Ameerudheen.K Jul 02 '19 at 04:51
1

`((JwtSecurityTokenHandler)tokenHandler).SetDefaultTimesOnTokenCreation = false;` to have it never expire. – AlexPi May 18 '21 at 22:02

score 0 · Answer 2 · answered Nov 11 '21 at 07:03

//reading the key from config
//reading the issuer from config
            var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["Jwt:Key"]));
            var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);

            var token = new JwtSecurityToken(configuration["Jwt:Issuer"], configuration["Jwt:Issuer"], 
                            null, expires: DateTime.Now.AddMinutes(60),
                            signingCredentials: credentials); //60mins expiration 

            string newToken = new JwtSecurityTokenHandler().WriteToken(token);

ASP.NET Core and JWT token lifetime

2 Answers2