{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 对你真心纯属浪费 的问题《Generate Access Token In Web Api action method usi》','https://www.manongdao.com/q-900915.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to generate a token inside Web Api action method based on the code below:
private JObject GeneratePaymentTokenResponse(string email, bool rememberMe)
{
//var tokenExpiration = rememberMe ? TimeSpan.FromDays(14) : TimeSpan.FromMinutes(30);
var tokenExpiration = rememberMe ? TimeSpan.FromMinutes(30) : TimeSpan.FromMinutes(5);
ClaimsIdentity identity = new ClaimsIdentity("CustomType", ClaimTypes.Email, ClaimTypes.Role);
identity.AddClaim(new Claim(ClaimTypes.Email, email));
var props = new AuthenticationProperties()
{
IssuedUtc = DateTime.UtcNow,
ExpiresUtc = DateTime.UtcNow.Add(tokenExpiration)
};
var ticket = new AuthenticationTicket(identity, props);
var accessToken = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket);
JObject tokenResponse = new JObject(
new JProperty("email", email),
new JProperty("customToken", accessToken),
new JProperty("expiresIn", tokenExpiration.TotalSeconds),
new JProperty("issuedUtc", ticket.Properties.IssuedUtc),
new JProperty("expiresUtc", ticket.Properties.ExpiresUtc)
);
return tokenResponse;
}
The OAuthBeaerOptions object is coming from the Startup class as the below:
public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; }
OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
// Token Consumption (Resource Server)
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
Now when I try to pass a valid access token but has been expired and call AccessTokenFormat.Unprotect as the code below
Microsoft.Owin.Security.AuthenticationTicket ticket = Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(paymentToken);
if ((ticket == null) || (!ticket.Identity.IsAuthenticated))
{
actionContext.Response = CreateForbiddenResponse(actionContext);
return Task.FromResult<object>(null);
}
I'm receiving a valid ticket and the value of ticket.Identity.IsAuthenticated is true even that token is expired.
Currently I'm using the latest version (3.0.1) of Microsoft.Owin.Security assembly
I would appreciate any clue on how to set the expiry date for this token?
That's totally intended:
Unprotectwill return a ticket with a validClaimsIdentityeven if it is expired. SinceClaimsIdentity.IsAuthenticatedonly ensures theClaimsIdentity.AuthenticationTypeproperty is not null, it's not a reliable way to ensure the ticket is not expired.Actually, it's up to you to determine whether the ticket is still valid and return an error if necessary (which is exactly what the bearer middleware does internally when receiving an access token: https://github.com/jchannon/katanaproject/blob/master/src/Microsoft.Owin.Security.OAuth/OAuthBearerAuthenticationHandler.cs#L68-L73)