Get expire time of OAuth session

2020-08-13 04:39发布

问题:

To grant or revoke access to my webapis, I use OAuth password- and tokenrefreshworkflow.

If I understand everything correctly the workflow should be something like this:

  1. Authenticate with username / password / client id
  2. Retrieve accestoken, refreshtoken and expire date
  3. Start timeout in client to refresh your token after expired token time
  4. Go on with bullet 2 -> and so on..

The progress above works fine so far. My problem is, that I don't get the expire time out of the users principle after the authentication request. So if I work with stateles webclients, I need to renew my token every request to retrieve a new expire date, even if the users token is valid :/

What I want is something like a /api/session/information service, that provides general information about the current session of an authenticated user.

How do I retrieve my expire date =)

[HttpGet]
[ActionName("information")]
public HttpResponseMessage Information(BaseRequest request)
{

    var p = Request.GetRequestContext().Principal;

    /* here i need help =) */
}

回答1:

Your access token (JWT?) should contain an expiry claim. In JWT it is "exp", which shows the number of seconds since 1970-1-1. In javascript you can get a date from this like this:

new Date(<exp> * 1000);

In .Net / C# you would be able to do the same:

var epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
return epoch.AddSeconds(<exp>);

Is that what you are looking for? Otherwise let me know. Happy to help :-)



回答2:

Just to expand on Henrik N.'s answer a little. If you're in C# then you can use JWTSecurityTokenHandler within System.IdentityModel.Tokens.Jwt (Nuget: Install-Package System.IdentityModel.Tokens.Jwt) to read the token and the resulting JwtSecurityToken object gives you some handy properties, one of which is ValidTo which converts the exp claim into a DateTime object for you E.g.:

var tokenString = GetTokenString(); // Arbitrary method to get the token
var handler = new JwtSecurityTokenHandler();
var token = handler.ReadToken(tokenString) as JwtSecurityToken;
var tokenExpiryDate = token.ValidTo;

// If there is no valid `exp` claim then `ValidTo` returns DateTime.MinValue
if(tokenExpiryDate == DateTime.MinValue) throw new Exception("Could not get exp claim from token");

// If the token is in the past then you can't use it
if(tokenExpiryDate < DateTime.UtcNow) throw new Exception($"Token expired on: {tokenExpiryDate}");

// Token is valid