Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proper way of using Clockskew in JWT OAuth #219

Closed
omair-sajid-confiz opened this issue Jul 26, 2018 · 3 comments
Closed

Proper way of using Clockskew in JWT OAuth #219

omair-sajid-confiz opened this issue Jul 26, 2018 · 3 comments
Milestone

Comments

@omair-sajid-confiz
Copy link

I have an application using following packages

Autofac version="4.8.1" targetFramework="net471"
Autofac.Owin version="4.2.0" targetFramework="net471"
Autofac.WebApi2" version="4.2.0" targetFramework="net471"
Autofac.WebApi2.Owin" version="4.0.0" targetFramework="net471"
jose-jwt" version="2.4.0" targetFramework="net471"
Microsoft.AspNet.Cors" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Client" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Core" version="5.2.6" targetFramework="net471"
Microsoft.AspNet.WebApi.Owin" version="5.2.6" targetFramework="net471"
Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="1.0.7" targetFramework="net471"
Microsoft.IdentityModel.Logging" version="5.2.4" targetFramework="net471"
Microsoft.IdentityModel.Tokens" version="5.2.4" targetFramework="net471"
Microsoft.Net.Compilers" version="2.1.0" targetFramework="net471"
Microsoft.Owin" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Cors" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Host.SystemWeb" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security.Jwt" version="3.1.0" targetFramework="net471"
Microsoft.Owin.Security.OAuth" version="3.1.0" targetFramework="net471"
Newtonsoft.Json" version="11.0.2" targetFramework="net471"
Owin" version="1.0" targetFramework="net471"
Serilog" version="2.7.1" targetFramework="net471"
Swashbuckle.Core" version="5.6.0" targetFramework="net471"
System.IdentityModel.Tokens.Jwt" version="4.0.4.403061554" targetFramework="net471"

Server is issuing tokens with expiry time of 20 minutes.

In resource server I have following configuration

TokenValidationParameters tokenValidationParameters = new TokenValidationParameters()
            {
                ClockSkew = TimeSpan.FromSeconds(_allowedClockDriftSeconds),
                IssuerSigningKey =   ...
                ValidateIssuer = true,
                ValidateAudience = true,
                RequireSignedTokens = true,
                ValidIssuer = "...",
                ValidAudience = "....",
            };

            app.UseJwtBearerAuthentication(
                new JwtBearerAuthenticationOptions
                {
                    AuthenticationMode = AuthenticationMode.Active,
                    AllowedAudiences = new[] { "ConsumerDataServices" },
                    IssuerSecurityTokenProviders =  new IIssuerSecurityTokenProvider[]
                    {
                        ...
                    },
                    TokenHandler = new JoseJwtTokenHandler(decryptionHandler, logger),
                    TokenValidationParameters = tokenValidationParameters,
                });
        }

Auth Server is issuing tokens as JWE Tokens. JoseJwtTokenHandler is overriding ReadToken to decrypt and return JWT Token,

Everything works find for 20 minutes. I Can see my claims in principal.Identity in AuthorizationFilterAttribut. But after 20 minutes authorization stops working as principal.Identity.IsAuthenticated is set to false and claims are empty. On debugging I can see that JoseJwtTokenHandler is working fine.

In my logs I can see following

Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Warning: 0 : expired bearer token received

Looking at code of Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler

        DateTimeOffset currentUtc = this.Options.SystemClock.UtcNow;
        if (ticket.Properties.ExpiresUtc.HasValue && ticket.Properties.ExpiresUtc.Value < currentUtc)
        {
          this._logger.WriteWarning("expired bearer token received");
          return (AuthenticationTicket) null;
        }

It looks like OAuthBearerAuthenticationHandler is ignoring ClockSkew.

I have spent lot of time on it but couldn't get it to work. Does what I am doing looks OK? If not what is the correct way to do this?

@omair-sajid-confiz
Copy link
Author

@omair-sajid-confiz
Copy link
Author

IssuedUtc and ExpiresUtc are most probably coming from here

https://github.com/aspnet/AspNetKatana/blob/v3.1.0/src/Microsoft.Owin.Security.Jwt/JwtFormat.cs#L228

@muratg
Copy link

muratg commented Oct 31, 2018

@omair-sajid-confiz

Server is issuing tokens with expiry time of 20 minutes.

and

Everything works find for 20 minutes. I Can see my claims in principal.Identity in AuthorizationFilterAttribut. But after 20 minutes authorization stops working as principal.Identity.IsAuthenticated is set to false and claims are empty.

Maybe I'm missing it, but it just looks like your tokens are expiring. Nothing to do with clock skew here. Just get a new token, or adjust the timeout accordingly (if you have access)

@muratg muratg added this to the Discussions milestone Oct 31, 2018
@Tratcher Tratcher closed this as completed Sep 3, 2020
@ghost ghost locked as resolved and limited conversation to collaborators Oct 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants