Correct use of JwtTokens in C#

c# jwt claims
dariogriffo picture dariogriffo · Apr 4, 2015 · Viewed 12.3k times · Source

I'm playing a with JwtTokens and can't make them work properly. I'm using http://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/ for it. I know the code is a mess but is just to show what I'm trying to do. The problem is that I want the JwtTokenHandler to fail the validation because of the lifetime.

var key = "5A0AB091-3F84-4EC4-B227-0834FCD8B1B4";
var domain = "http://localhost";
var allowedAudience = "http://localhost";
var signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256";
var digestAlgorithm = "http://www.w3.org/2001/04/xmlenc#sha256";
var issuer = "self";
var securityKey = System.Text.Encoding.Unicode.GetBytes(key);
var inMemorySymmetricSecurityKey = new InMemorySymmetricSecurityKey(securityKey);

var now = DateTime.UtcNow;
var expiry = now.AddSeconds(1);
var tokenHandler = new JwtSecurityTokenHandler();
var claimsList = new List<Claim>()
{
    new Claim(ClaimTypes.Name, "user"),
    new Claim(ClaimTypes.Webpage, allowedAudience),
    new Claim(ClaimTypes.Uri, domain),                
    new Claim(ClaimTypes.Expiration,expiry.Ticks.ToString())
};
var roles = new List<string>() { "admin" };
claimsList.AddRange(roles.Select(role => new Claim(ClaimTypes.Role, role)));

var identity = new GenericIdentity("user");

var tokenDescriptor = new SecurityTokenDescriptor
{
    Subject = new ClaimsIdentity(identity, claimsList),
    TokenIssuerName = issuer,
    AppliesToAddress = allowedAudience,
    Lifetime = new Lifetime(now, expiry),
    SigningCredentials = new SigningCredentials(inMemorySymmetricSecurityKey, signatureAlgorithm, digestAlgorithm),
};

var token = tokenHandler.WriteToken(tokenHandler.CreateToken(tokenDescriptor));

var validationParameters = new TokenValidationParameters()
{
    ValidIssuer = issuer,
    ValidAudience = allowedAudience,
    IssuerSigningToken = new BinarySecretSecurityToken(securityKey)
};

Thread.Sleep(2000);
try
{
    SecurityToken securityToken;
    tokenHandler.ValidateToken(token, validationParameters, out securityToken);
    Console.WriteLine("OK");
}
catch (Exception e)
{
    Console.WriteLine("Error {0}", e.Message);
}

Isn't this suppose to fail since I'm waiting 2 seconds? It fails if I change the issuer of the ValidationTokenParameter to "x"...

Answer

dariogriffo picture dariogriffo · Apr 5, 2015

Found the issue. The validation parameters have a default clock skew of 5 minutes

/// <summary>
/// Default for the clock skew.
/// 
/// </summary>
/// 
/// <remarks>
/// 300 seconds (5 minutes).
/// </remarks>
public static readonly TimeSpan DefaultClockSkew;

Setting that to 0 make this work. Still don't understand why the skew is 5 minutes, if I set the expiry at some point!!!

Related questions

JWT authentication for ASP.NET Web API

I'm trying to support JWT bearer token (JSON Web Token) in my web API application and I'm getting lost. I see support for .NET Core and for OWIN applications. I'm currently hosting my application in IIS. How can I achieve …

Read More
Is there any JSON Web Token (JWT) example in C#?

I feel like I'm taking crazy pills here. Usually there's always a million library and samples floating around the web for any given task. I'm trying to implement authentication with a Google "Service Account" by use of JSON Web Tokens (…

Read More
How to decode JWT Token?

I don't understand how this library works. Could you help me please ? Here is my simple code : public void TestJwtSecurityTokenHandler() { var stream = "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJJU1MiLCJzY29wZSI6Imh0dHBzOi8vbGFyaW0uZG5zY2UuZG91YW5lL2NpZWxzZXJ2aWNlL3dzIiwiYXVkIjoiaHR0cHM6…

Read More