ASP.NET MVC 5 OWIN ADFS Token validation error

Question

I am working on an ASP.NET MVC application which uses ADFS authentication and have the following error in our log files in production and I'm trying to figure out what the cause of this issue is, as I believe it is preventing some users from accessing our application.

The error is as follows:

System.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired.
ValidTo: '08/13/2018 12:59:35'
Current time: '08/13/2018 13:15:34'.

While I can't be sure, since I don't have timestamps of when the error happened, I believe it is causing the classic ASP.NET Server Error in '/' Application and it's the only error I'm seeing in our logs that would correlate with that page appearing.

As I'm searching Stack Overflow, I see references to JWT authorization which is not what our application is using. Or at least we aren't using anything that explicitly uses JWT for authentication, it may be what's happening under the hood. I also see some posts which state that if the authentication server and application server times are not in sync this error can occur; I am working with my IT team to verify these server's clocks are in sync and will update accordingly.

Our application uses a singular MVC route to serve our Angular application, and only enforces authentication on that landing page; our API controllers do not have specific authorization requirements on them (I know, bad security practice, that's a whole other conversation I'm trying to have with my team's architect).

While I wait for the information on the clocks, are there any other possible options I can investigate?

OWIN Startup code

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        // Workaround for this bug: http://katanaproject.codeplex.com/workitem/197
        app.UseKentorOwinCookieSaver();

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            CookieSecure = CookieSecureOption.Always,
            CookieName = "Adfs Cookie Name",
        });

        app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
        {
            MetadataAddress = WebConfigurationManager.AppSettings["WSFederation:MetadataAddress"],
            Wtrealm = WebConfigurationManager.AppSettings["WSFederation:Realm"],
            SignOutWreply = WebConfigurationManager.AppSettings["WSFederation:Realm"],
            Notifications = new WsFederationAuthenticationNotifications
            {
                RedirectToIdentityProvider = ctx =>
                {
                    if (IsAjaxRequest(ctx.Request))
                    {
                        ctx.HandleResponse();
                    }

                    return Task.FromResult(0);
                }
            }
        });

        return app;
    }

    private static bool IsAjaxRequest(IOwinRequest request)
    {
        var query = request.Query;
        if (query != null && query["X-Requested-With"] == "XMLHttpRequest")
        {
            return true;
        }

        var headers = request.Headers;
        if (headers != null && headers["X-Requested-With"] == "XMLHttpRequest")
        {
            return true;
        }

        return false;
    }
}

Correct - there is no JWT. WS-Fed uses SAML tokens. – rbrayb Aug 13 '18 at 18:49 — rbrayb, Aug 13 '18 at 18:49

score 0 · Answer 1 · answered Sep 21 '18 at 03:45

Finally figured out what the issue was! But first, some background. The web app I'm building integrates with a WPF application via a browser control in the application. The browser control is a tab that is not selected on the initial load of the application, but the does at least make a request and get redirected to ADFS for authentication. However, the browser wasn't completing the redirect from ADFS to my app until after the browser tab is activated.

Why does all of this matter? Well the ADFS token was configured with a 1hr lifetime. So what happened was users would open the WPF app, and automatically authenticate with ADFS and get a token generated. However, if they didn't activate the tab within that 1hr lifetime the token would expire before the redirect completed. I think this could also happen if I opened a tab in a browser, signed in to ADFS, and then immediately moved to a different tab before my app would have time to be served. Ultimately, it's a weird edge case for my application, but the root of the problem was a token getting issued but not validated by my app server until after it had already expired.

ASP.NET MVC 5 OWIN ADFS Token validation error

1 Answers1