❔ JWT still being accepted after it expires in web API

private string GenerateToken()
{
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JwtSettings:Key"]!));
var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var claims = new[]
{
new Claim("admin", "true")
};
var token = new JwtSecurityToken
(
_configuration["JwtSettings:Issuer"],
_configuration["JwtSettings:Audience"],
claims,
expires: DateTime.UtcNow.AddSeconds(15),
signingCredentials: credentials
);

return new JwtSecurityTokenHandler().WriteToken(token);
}
private string GenerateToken()
{
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JwtSettings:Key"]!));
var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var claims = new[]
{
new Claim("admin", "true")
};
var token = new JwtSecurityToken
(
_configuration["JwtSettings:Issuer"],
_configuration["JwtSettings:Audience"],
claims,
expires: DateTime.UtcNow.AddSeconds(15),
signingCredentials: credentials
);

return new JwtSecurityTokenHandler().WriteToken(token);
}
builder.Services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = config["JwtSettings:Issuer"],
ValidAudience = config["JwtSettings:Audience"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(config["JwtSettings:Key"]!))
};
});
builder.Services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = config["JwtSettings:Issuer"],
ValidAudience = config["JwtSettings:Audience"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(config["JwtSettings:Key"]!))
};
});
This is the endpoint that requires the JWT
[Authorize]
[HttpGet("List")]
public async Task<IActionResult> List()
{
var result = _gameService.GetAllGameStateRecords();

return result.IsDefined(out var gameStateRecords)
? Ok(gameStateRecords)
: StatusCode(500, result);
}
[Authorize]
[HttpGet("List")]
public async Task<IActionResult> List()
{
var result = _gameService.GetAllGameStateRecords();

return result.IsDefined(out var gameStateRecords)
? Ok(gameStateRecords)
: StatusCode(500, result);
}
After 15 seconds, as long as I keep the Authorization header with the JWT, the endpoint doesn't 401 me
2 Replies
Patrick Square
Patrick SquareOP2y ago
The exp seems to be correct But it is now well passed that time and I can still use this token Oh shit wait The minium JWT expiration is 5 mionuites?
Accord
Accord2y ago
Looks like nothing has happened here. I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server