asp.net web api - OAuth JWT access token expiration depending on type of client -
i created jwt token implementation based on taiseer's tutorial.
the following code added owin startup class:
oauthauthorizationserveroptions oauthserveroptions = new oauthauthorizationserveroptions() { allowinsecurehttp = httpcontext.current.isdebuggingenabled, tokenendpointpath = new pathstring("/oauth2/token"), accesstokenexpiretimespan = timespan.fromminutes(90), provider = new customoauthprovider(), accesstokenformat = new customjwtformat("http://example.com/") };
now there different types of apps use api. web clients, 90 minute expiration enough, mobile apps far short.
is there way mobile apps token expiration 1 year now? use custom http headers differentiate between types of apps. tried extend expiration in protect method of customjwtformat class, indeed allows larger expiration in jwt.
public class customjwtformat : isecuredataformat<authenticationticket> { public string protect(authenticationticket data) { ... emitted brevity ... string appid = httpcontext.current.request.headers.getvalues("my-custom-header").firstordefault(); if (appid == null) throw new applicationexception("application id header missing"); if (appid.tolower() == "mobileappheader") { // set expiration 1 year expires = datetimeoffset.utcnow.addyears(1); } var token = new jwtsecuritytoken(issuer, audienceid, data.identity.claims, issued.value.utcdatetime, expires.value.utcdatetime, signingkey);
but in authorization response, still says 90 minutes:
{ "access_token": "eyj0ex...0cly6ju", "token_type": "bearer", "expires_in": 5399 }
as can see, expires_in
still set 90 minute timespan.
although response server indicates expiry of 90 minutes, asp.net web api takes inside ticket determine expiry time. if set default 90 minutes (in startup.cs) , 1 year mobile apps, mobile apps 1 year expiration.
Comments
Post a Comment