0

I have a scenario in which I need to set the clock skew for JWT bearer tokens. but whatever I do, the code ignores my settings.

I have tried configuring it in multiple different sections of the Dependency Injection file in the Infrastructure Layer, but it ignores all of them.

I have this at the moment:

services.AddIdentityServer(options =>
  {
     options.IssuerUri = configuration.GetSection("MyCurrentDomainName")?.Value;
     options.Authentication.CookieLifetime = TimeSpan.FromDays(999);
     options.Authentication.CookieSlidingExpiration = true;

  }).AddApiAuthorization<ApplicationUser, ApplicationDbContext>();


services.AddAuthentication()
        .AddIdentityServerJwt();

services.Configure<JwtBearerOptions>(configuration =>
{
    configuration.TokenValidationParameters.ClockSkew = TimeSpan.FromSeconds(9875664);
});

services.TryAddEnumerable(ServiceDescriptor
    .Singleton<IConfigureOptions<JwtBearerOptions>, ConfigureBearerOptions>());

Services.AddTransient<IProfileService, ProfileService>();


services.TryAddEnumerable(ServiceDescriptor
   .Singleton<IPostConfigureOptions<JwtBearerOptions>, ConfigureJwtBearerOptions>());

The code ignores my configurations and sets the clock skew to its default 5 minutes.

In the last line of the above code, I have a PostConfigurationOption, and I have set the clock skew there as well, it runs the code, but when the WebUI layer calls for the authentication, the clock skew will default to 5 minutes.

What am I doing wrong here?

Improve this question

1 Answer 1

Reset to default
1 
services.AddIdentityServer(options =>
  {
     options.Authentication.CookieLifetime = TimeSpan.FromDays(999);
  });

If you're using Jwt token, why setting cookie lifetime ?

services.Configure<JwtBearerOptions>(configuration =>
{
    configuration.TokenValidationParameters.ClockSkew = TimeSpan.FromSeconds(9875664);
});

JwtBearerOptions got registered in the app service but internally. Identity server doens't make use of this.

Identity server internally make use of table Clients on the server to skew the clock for each client that we register. The time specified by corresponding columns IdentityTokenLifetime, AccessTokenLifetime, AuthorizationCodeLifetime, ConsentLifetime, AbsoluteRefreshTokenLifetime, SlidingRefreshTokenLifetime, modify them as you need.

UPDATE

The template still make use of IdentityServer4, it doesn't make it own magic. And that's what happen in the template.

In Startup, service called AddInfrastructure. which let the app to use In-memory database (as default config on appSettings), furthur more, IdentityServer took the IdentityServerSPA option on appSettings as it's profile. which will get config at .AddApiAuthorization<ApplicationUser, ApplicationDbContext>().

Since it's a pre-config profile, you cannot mess with it.

For the most clearly instruction, use localdb sql server. I think the way to do that is clear enougn in DependencyInjection file on Infrastructure layer. Then we'll see the table magically appear on sql.

And if it's just a simple demo, try this:

// Modify this block code in DependencyInjection file, Infrastructure layer
services.AddIdentityServer()
                .AddApiAuthorization<ApplicationUser, ApplicationDbContext>(cfg =>
                {
                    var defaultClient = cfg.Clients["CleanArchitecture.WebUI"];
                    defaultClient.AccessTokenLifetime = 3600; // 3600s
                });

And other lifetime for each kind of token per client can be configure as well.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I am using Jason Taylor's Clean Architecture template: github.com/jasontaylordev/CleanArchitecture. There is no Clients table or an appsettings file that configures the clients. How can I find where these settings are coming from?
Thanks for the response by the way
It doens't matter, the template make use of Microsoft.AspNetCore.ApiAuthorization.IdentityServer, which have IdentityServer4 as its dependency... and believe me, it does use the Clients table. But that's quite a bad luck at your circumstance... please take a look at my updated section.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.