C
C#2y ago
Patrick Square

❔ JWT still being accepted after it expires in web API

private string GenerateToken()
{
    var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JwtSettings:Key"]!));
    var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
    var claims = new[]
    {
        new Claim("admin", "true")
    };
    var token = new JwtSecurityToken
    (
        _configuration["JwtSettings:Issuer"],
        _configuration["JwtSettings:Audience"],
        claims,
        expires: DateTime.UtcNow.AddSeconds(15),
        signingCredentials: credentials
    );

    return new JwtSecurityTokenHandler().WriteToken(token);
}
private string GenerateToken()
{
    var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JwtSettings:Key"]!));
    var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
    var claims = new[]
    {
        new Claim("admin", "true")
    };
    var token = new JwtSecurityToken
    (
        _configuration["JwtSettings:Issuer"],
        _configuration["JwtSettings:Audience"],
        claims,
        expires: DateTime.UtcNow.AddSeconds(15),
        signingCredentials: credentials
    );

    return new JwtSecurityTokenHandler().WriteToken(token);
}
builder.Services.AddAuthentication(x =>
{
    x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    x.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = config["JwtSettings:Issuer"],
        ValidAudience = config["JwtSettings:Audience"],
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(config["JwtSettings:Key"]!))
    };
});
builder.Services.AddAuthentication(x =>
{
    x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    x.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = config["JwtSettings:Issuer"],
        ValidAudience = config["JwtSettings:Audience"],
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(config["JwtSettings:Key"]!))
    };
});
This is the endpoint that requires the JWT 
[Authorize]
[HttpGet("List")]
public async Task<IActionResult> List()
{
    var result = _gameService.GetAllGameStateRecords();

    return result.IsDefined(out var gameStateRecords) 
        ? Ok(gameStateRecords)
        : StatusCode(500, result);
}
[Authorize]
[HttpGet("List")]
public async Task<IActionResult> List()
{
    var result = _gameService.GetAllGameStateRecords();

    return result.IsDefined(out var gameStateRecords) 
        ? Ok(gameStateRecords)
        : StatusCode(500, result);
}
After 15 seconds, as long as I keep the Authorization header with the JWT, the endpoint doesn't 401 me
2 Replies
Patrick Square
Patrick SquareOP2y ago
The exp seems to be correct But it is now well passed that time and I can still use this token Oh shit wait The minium JWT expiration is 5 mionuites?
Accord
Accord2y ago
Looks like nothing has happened here. I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server