JWT 令牌到期时间失败 .net 核心 [英] JWT Token Expiration time failing .net core

问题描述

我正在尝试通过 .NET Core 2.1 中的刷新令牌和 JWT 实现基于令牌的身份验证.

I am trying to implement Token Based Authentication through refresh tokens and JWT in .NET Core 2.1.

这就是我实现 JWT 令牌的方式:

This is how I am implementing the JWT Token:

Startup.cs

services.AddAuthentication(option =>
    {
        option.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        option.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        option.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
    }).AddJwtBearer(options =>
    {
        options.SaveToken = true;
        options.RequireHttpsMetadata = true;
        options.TokenValidationParameters = new TokenValidationParameters()
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidAudience = Configuration["Jwt:Site"],
            ValidIssuer = Configuration["Jwt:Site"],
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:SigningKey"]))
        };

        options.Events = new JwtBearerEvents
        {
            OnAuthenticationFailed = context =>
            {
                if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))
                {
                    context.Response.Headers.Add("Token-Expired", "true");
                }
                return Task.CompletedTask;
            }
        };
    });

代币生成:

var jwt = new JwtSecurityToken(
                issuer: _configuration["Jwt:Site"],
                audience: _configuration["Jwt:Site"],
                expires: DateTime.UtcNow.AddMinutes(1),
                signingCredentials: new SigningCredentials(signinKey, SecurityAlgorithms.HmacSha256)
                );

        return new TokenReturnViewModel()
        {
            token = new JwtSecurityTokenHandler().WriteToken(jwt),
            expiration = jwt.ValidTo,
            currentTime = DateTime.UtcNow
        };

我在 Response 中得到了正确的值.

I am getting he correct values in Response.

但一分钟后，我在 Postman 中为授权设置了相同的令牌，并且它起作用了.如果令牌已过期，则不应过期.

But after a minute I set the same token for authorization in Postman and it works. If the token has expired it shouldn't.

我使用不记名令牌作为身份验证.

I am using bearer tokens as authentication.

我做错了什么?需要指导.

What am I doing wrong? Need direction.

推荐答案

有一个令牌验证参数叫做ClockSkew，它获取或设置在验证时间时应用的时钟偏差.ClockSkew 的默认值为 5 分钟.这意味着如果您没有设置它，您的令牌将在最多 5 分钟内仍然有效.

There is a token validation parameter called ClockSkew, it gets or sets the clock skew to apply when validating a time. The default value of ClockSkew is 5 minutes. That means if you haven't set it, your token will be still valid for up to 5 minutes.

如果您想在确切的时间使您的令牌过期；您需要将 ClockSkew 设置为零，如下所示，

If you want to expire your token on the exact time; you'd need to set ClockSkew to zero as follows,

options.TokenValidationParameters = new TokenValidationParameters()
{
    //other settings
    ClockSkew = TimeSpan.Zero
};

另一种方法，创建自定义AuthorizationFilter并手动检查.

Another way, create custom AuthorizationFilter and check it manually.

var principal = ApiTokenHelper.GetPrincipalFromToken(token);
var expClaim = principal.Claims.First(x => x.Type == "exp").Value;
var tokenExpiryTime = Convert.ToDouble(expClaim).UnixTimeStampToDateTime();
if (tokenExpiryTime < DateTime.UtcNow)
{
  //return token expired
} 

这里，GetPrincipalFromToken 是 ApiTokenHelper 类的自定义方法，它将返回您在发布时存储的 ClaimsPrincipal 值一个令牌.

Here, GetPrincipalFromToken is a custom method of the ApiTokenHelper class, and it will return the ClaimsPrincipal value that you've stored while issuing a token.

这篇关于JWT 令牌到期时间失败 .net 核心的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！