为什么我的 JWT 不记名身份验证在令牌说 5 分钟后将令牌识别为过期? [英] Why is my JWT bearer authentication recognizing tokens as expired 5 minutes after the token says?

问题描述

我正在使用 AspNet.Security.OpenIdConnect.Server 来发布 JWT 令牌并将 AuthorizationCodeLifetime 设置为 30 秒以进行测试.这是我用来设置选项的代码片段

I'm using AspNet.Security.OpenIdConnect.Server to issue JWT tokens and have the AuthorizationCodeLifetime set to 30 seconds for testing. Here is the snippet of code I'm using to set the options

        options.TokenEndpointPath = "/api/token";
        options.AllowInsecureHttp = true;
        options.AccessTokenHandler = new JwtSecurityTokenHandler();
        options.SigningCredentials.Add(new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256));
        options.AccessTokenLifetime = TimeSpan.FromSeconds(30);
        options.AuthorizationCodeLifetime = TimeSpan.FromSeconds(30);

返回的令牌包含:

  "expires_in": 30,

并且反序列化的令牌包含以下声明:

and the deserialized token contains the following claims:

 "nbf": 1476915220,
 "exp": 1476915250,
 "iat": 1476915220,

如您所见，exp(到期时间)是 iat(发布时间)之后的 30 秒.然而，令牌在过期 5 分钟后才会触发 401 Unauthorized.如果我们将 exp 号插入 http://www.epochconverter.com/ 那么我们会看到计算结果为 2016 年 10 月 19 日星期三 22:14:10 GMT，即我当地时间下午 5:14:10.

As you can see, the exp (expire time) is 30 seconds after the iat (issue time). Yet, the token isn't triggering an 401 Unauthorized until 5 minutes after it expires. If we plug the exp number in to http://www.epochconverter.com/ then we will see that this evaluates to Wed, 19 Oct 2016 22:14:10 GMT which is 5:14:10 PM in my local time.

以下是核心库的一些记录输出:

Here is some logged output from the Core library :

Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired.
ValidTo: '10/19/2016 22:14:10'
Current time: '10/19/2016 22:19:10'.
   at Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime(Nullable`1 notBefore, Nullable`1 expires, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateLifetime(Nullable`1 notBefore, Nullable`1 expires, JwtSecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[7]
      Bearer was not authenticated. Failure message: IDX10223: Lifetime validation failed. The token is expired.
ValidTo: '10/19/2016 22:14:10'
Current time: '10/19/2016 22:19:10'.

当然，此输出并不能证明服务器在 22:14:10 和 22:19:10 之间接受了令牌.如果我碰巧在它过期后等待了 5 分钟然后尝试验证令牌，这就是它会做的事情，但你必须相信我的话.我在 Postman 中进行测试，每秒都在单击发送"，直到它返回 401.

Of course, this output doesn't prove that the server was accepting the token between 22:14:10 and 22:19:10. This is what it would have done had I happen to have waited 5 minutes after it was expired and then tried to validate the token, but you'll have to take my word for it. I was testing in Postman and was clicking "Send" every second until it returned a 401.

那么，怎么了?是否有一些我不知道的内置 5 分钟缓冲区?有趣的是，AccessTokenLifetime 的默认值为 5 分钟，但令牌肯定反映了我已将其更改为 30 秒.怎么回事?

So, what's up? Is there some 5 minute buffer built in that I'm not aware of? Interestingly, the default value for the AccessTokenLifetime is 5 minutes, but the token is definitely reflecting that I've changed it to 30 seconds. What's going on?

我正在使用的相关库:

<package id="AspNet.Security.OpenIdConnect.Extensions" version="1.0.0-beta6-final" targetFramework="net452" />
<package id="AspNet.Security.OpenIdConnect.Server" version="1.0.0-beta6-final" targetFramework="net452" />
<package id="Microsoft.AspNetCore.Authentication.JwtBearer" version="1.0.0" targetFramework="net452" />

推荐答案

那么，怎么了?是否有一些我不知道的内置 5 分钟缓冲区?怎么回事?

So, what's up? Is there some 5 minute buffer built in that I'm not aware of? What's going on?

您所说的缓冲区"实际上是 JWT 承载中间件(由 Microsoft 开发)提供的一种内置功能，称为时钟偏差"，旨在​​减轻网络场中时钟不同步的影响.

What you call "buffer" is actually a built-in feature offered by the JWT bearer middleware (developed by Microsoft) which is known as "clock skew" and was designed to mitigate the effects of clock desynchronization in web farms.

如您所见，默认值设置为 5 分钟，但可以通过 JwtBearerOptions.TokenValidationParameters.ClockSkew.

As you figured out, the default value is set to 5 minutes, but it can be changed via JwtBearerOptions.TokenValidationParameters.ClockSkew.

这篇关于为什么我的 JWT 不记名身份验证在令牌说 5 分钟后将令牌识别为过期?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！