In our API we implemented DotNetOpenAuth (v3.4.7). We frequently receive the exception "A token in the message was not recognized by the service provider", along with this stack trace:

   at DotNetOpenAuth.Messaging.ErrorUtilities.VerifyProtocol(Boolean condition, String message, Object[] args)
   at DotNetOpenAuth.Messaging.ErrorUtilities.ThrowProtocol(String message, Object[] args)
   at DotNetOpenAuth.OAuth.ChannelElements.TokenHandlingBindingElement.VerifyThrowTokenTimeToLive(ITokenContainingMessage message)
   at DotNetOpenAuth.OAuth.ChannelElements.TokenHandlingBindingElement.ProcessIncomingMessage(IProtocolMessage message)
   at DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(IProtocolMessage message)

Just recently I discovered this exception is thrown when people take too long authorize their request token. So the time between step 1 and step 2 of the authorization process is too long.

Can this time be configured in the web.config or programmatically?

Note: I tried messaging lifetime="00:30:00" but that does not seem to influence what I'm aiming for.

Two factors go into possibly producing this error:

1. IServiceProviderTokenManager.GetRequestToken throws a KeyNotFoundException, OR
2. The token is older than the timeout specified in your web.config file's dotNetOpenAuth/oauth/serviceProvider/security/@maxAuthorizationTime setting.

For example:

<dotNetOpenAuth>
    <oauth>
        <serviceProvider>
            <security maxAuthorizationTime="00:05:00"/>
        </serviceProvider>
    </oauth>
</dotNetOpenAuth>