JwtSecurityToken不会在应有的时间到期 [英] JwtSecurityToken doesn't expire when it should
问题描述
我当前在System.IdentityModels.Tokens命名空间中使用JwtSecurityToken类.我使用以下方法创建令牌:
I am currently using the JwtSecurityToken class in System.IdentityModels.Tokens namespace. I create a token using the following:
DateTime expires = DateTime.UtcNow.AddSeconds(10);
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
var genericIdentity = new System.Security.Principal.GenericIdentity(username, "TokenAuth");
ClaimsIdentity identity = new ClaimsIdentity(claims);
string secret = ConfigurationManager.AppSettings["jwtSecret"].ToString();
var securityKey = new InMemorySymmetricSecurityKey(Encoding.Default.GetBytes(secret));
var signingCreds = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.HmacSha256Signature);
var securityToken = handler.CreateToken(
issuer: issuer,
audience: ConfigurationManager.AppSettings["UiUrl"].ToString(),
signingCredentials: signingCreds,
subject: identity,
expires: expires,
notBefore: DateTime.UtcNow
);
return handler.WriteToken(securityToken);
出于某种原因,即使将到期时间设置为当前时间之后的10秒,但直到验证令牌大约5分钟后,它实际上才不会引发异常.看到此消息后,我认为可能至少有5分钟的到期时间,所以我将到期时间设置为:
For some reason even though the expires is set to 10 seconds after the current time it doesn't actually throw an exception when the token is being validated until about 5 minutes. After seeing this, I thought maybe there was a minimum expire time of 5 minutes, so I set the expire time to:
DateTime.UtcNow.AddMinutes(5);
然后它在10分钟后过期,但是异常消息指出过期时间已设置为应设置的时间(用户登录后5分钟),当它在例外中显示当前时间时,它是过期时间后5分钟.因此,似乎知道应该何时到期,但是直到到期时间5分钟后才真正抛出异常.然后,由于令牌似乎在我将其设置为过期的任何时间上增加了5分钟,因此将过期时间设置为:
Then it expires at 10 minutes, but the exception message says that the expire time is set to what it is supposed to be (5 minutes after the user logs in), and when it shows the current time in the exception it is 5 minutes after the expire time. So, it seems to know when it SHOULD expire, but it doesn't actually throw the exception until 5 minutes after the expire time. Then, since the token seems to be adding 5 minutes to whatever time I set it to expire I set the expire time to:
DateTime.UtcNow.AddMinutes(-5).AddSecond(10);
我对此进行了测试,到目前为止,它仍然没有过期(十分钟后).有人可以解释为什么发生这种情况以及我在做什么错吗?另外,如果您在代码中看到了其他任何内容,由于我不熟悉JWT和该库,因此将不胜感激.
I tested this and so far it still hasn't expired (After more than ten minutes). Can someone please explain why this is happening and what I am doing wrong? Also, if you see anything else with the code I provided any guidance would be appreciated since I am new to using JWTs and this library.
推荐答案
通读@Denis Kucherov的答案后,我发现我可以使用他发布的同一个自定义验证器,而无需使用JwtBearerOptions类,而这需要我添加一个新的图书馆.
After reading through @Denis Kucherov's answer, I found out that I could use the same custom validator he posted without using the JwtBearerOptions class which would have required me to add a new library.
此外,由于有两个包含许多相同类的名称空间,因此我将确保提及所有这些都使用System.IdentityModels ...名称空间. (不是Microsoft.IdentityModels ...)
Also, Since there are two namespaces which contain a lot of these same classes I will make sure to mention that all of these are using the System.IdentityModels... namespaces. (NOT Microsoft.IdentityModels...)
下面是我最终使用的代码:
Below is the code I ended up using:
private bool CustomLifetimeValidator(DateTime? notBefore, DateTime? expires, SecurityToken tokenToValidate, TokenValidationParameters @param)
{
if (expires != null)
{
return expires > DateTime.UtcNow;
}
return false;
}
private JwtSecurityToken ValidateJwtToken(string tokenString)
{
string secret = ConfigurationManager.AppSettings["jwtSecret"].ToString();
var securityKey = new InMemorySymmetricSecurityKey(Encoding.Default.GetBytes(secret));
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
TokenValidationParameters validation = new TokenValidationParameters()
{
ValidAudience = "MyAudience",
ValidIssuer = "MyIssuer",
ValidateIssuer = true,
ValidateLifetime = true,
LifetimeValidator = CustomLifetimeValidator,
RequireExpirationTime = true,
IssuerSigningKey = securityKey,
ValidateIssuerSigningKey = true,
};
SecurityToken token;
ClaimsPrincipal principal = handler.ValidateToken(tokenString, validation, out token);
return (JwtSecurityToken)token;
}
这篇关于JwtSecurityToken不会在应有的时间到期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
