3

I'm using dotnet core 3, and trying to set the JWT expire time, and can't find where to do so. I know it can be done where the JWT token is created, but that's happening in one of Microsoft's libraries. Anybody out there know how this can be accomplished? Alternatively it would be nice to have a system to automatically refresh the token.

Here are the relevant excerpts from my Startup.cs file:

public void ConfigureServices(IServiceCollection services)
{
   services.AddDbContext<ApplicationDbContext>(options =>
      options.UseNpgsql(Configuration.GetConnectionString("DefaultConnection")));

   services.AddDefaultIdentity<ApplicationUser>(options => 
      options.SignIn.RequireConfirmedAccount = true)
      .AddEntityFrameworkStores<ApplicationDbContext>();

   services.AddIdentityServer()
      .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();

   services.AddAuthentication()
      .AddIdentityServerJwt();

   services.Configure<JwtBearerOptions>(IdentityServerJwtConstants.IdentityServerJwtBearerScheme, options =>
   {
      //Wouldn't this be a good place for an expiration property? Microsoft doesn't think so.
   });

   //Unrelated service configuration code here
}

Then in Configure:

public void Configure(...){
   //Irrelevant stuff here

   app.UseAuthentication();
   app.UseIdentityServer();
   app.UseAuthorization();

   //More irrelevant stuff here
}

Any help is greatly appreciated. Thanks!

Scott Reece
  • 395
  • 1
  • 3
  • 13
  • Where is the code to create the token? I hope there should be an endpoint from where you will issue token. The middleware in the request pipeline will validate the incoming jwt token but will not create it. Also, where are you adding the claims for your token? – Prateek Kumar Dalbehera May 15 '20 at 03:06
  • Well that's the thing. There is no code in my project that does it. It's just included as part of the Identity Server black box. I guess I just need to toss the black box. – Scott Reece May 16 '20 at 07:55
  • Atleast you should be passing some claims to be included in the token, typically in the method we set the token lifetime – Prateek Kumar Dalbehera May 16 '20 at 08:12
  • Nope, I have no code anywhere in my application that touches claims. It's all in the Microsoft 'black box'. – Scott Reece May 16 '20 at 22:55
  • 2
    Did you ever figure this out? I tried the proposed solution below to no avail. Like you, I am using core 3.1 and angular 8 for the front end so I'm having a hell of time with that black box as well :-) – eddyizm Dec 10 '20 at 22:35
  • 1
    Sorry @eddyizm, but I did not. I just decided not to use JWTs. I had other difficulties too, and in the end it just wasn't worth it. Configuring dotnet core and Kestrel feels more like voodoo than software development in my opinion. – Scott Reece Dec 12 '20 at 01:34
  • Thanks for the response @ScottReece , I ended up writing a front end timer to log users out. Seems to work fine since I could not figure out the dotnet core voodoo. I figure the front end is required too and hopefully get this JWT later. – eddyizm Dec 12 '20 at 17:27

1 Answers1

1

You can re-config the default Client that Microsoft created in AddApiAuthorization method

services.AddIdentityServer()
.AddApiAuthorization<ApplicationUser, ApplicationDbContext>(options =>
{
    options.Clients.First().AccessTokenLifetime = 600;
});
Luong Ngoc Hoang
  • 31
  • 4