問(wèn)題描述

我目前在 System.IdentityModels.Tokens 命名空間中使用 JwtSecurityToken 類(lèi).我使用以下內(nèi)容創(chuàng)建了一個(gè)令牌:

I am currently using the JwtSecurityToken class in System.IdentityModels.Tokens namespace. I create a token using the following:

DateTime expires = DateTime.UtcNow.AddSeconds(10);
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
var genericIdentity = new System.Security.Principal.GenericIdentity(username, "TokenAuth");

ClaimsIdentity identity = new ClaimsIdentity(claims);
string secret = ConfigurationManager.AppSettings["jwtSecret"].ToString();
var securityKey = new     InMemorySymmetricSecurityKey(Encoding.Default.GetBytes(secret));
var signingCreds = new SigningCredentials(securityKey,     SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.HmacSha256Signature);
var securityToken = handler.CreateToken(
    issuer: issuer,
    audience: ConfigurationManager.AppSettings["UiUrl"].ToString(),
    signingCredentials: signingCreds,
    subject: identity,
    expires: expires,
    notBefore: DateTime.UtcNow
);
return handler.WriteToken(securityToken); 

由于某種原因，即使將 expires 設(shè)置為當(dāng)前時(shí)間之后的 10 秒，在驗(yàn)證令牌時(shí)它實(shí)際上不會(huì)拋出異常，直到大約 5 分鐘.看到這里，我想可能是最小過(guò)期時(shí)間為 5 分鐘，所以我將過(guò)期時(shí)間設(shè)置為:

For some reason even though the expires is set to 10 seconds after the current time it doesn't actually throw an exception when the token is being validated until about 5 minutes. After seeing this, I thought maybe there was a minimum expire time of 5 minutes, so I set the expire time to:

DateTime.UtcNow.AddMinutes(5);

然后它在 10 分鐘過(guò)期，但是異常消息說(shuō)過(guò)期時(shí)間設(shè)置為應(yīng)有的時(shí)間(用戶登錄后 5 分鐘)，當(dāng)它在異常中顯示當(dāng)前時(shí)間時(shí)它是過(guò)期時(shí)間后 5 分鐘.因此，它似乎知道它應(yīng)該何時(shí)過(guò)期，但實(shí)際上直到過(guò)期時(shí)間后 5 分鐘才拋出異常.然后，由于令牌似乎在我將其設(shè)置為過(guò)期的任何時(shí)間上增加了 5 分鐘，因此我將過(guò)期時(shí)間設(shè)置為:

Then it expires at 10 minutes, but the exception message says that the expire time is set to what it is supposed to be (5 minutes after the user logs in), and when it shows the current time in the exception it is 5 minutes after the expire time. So, it seems to know when it SHOULD expire, but it doesn't actually throw the exception until 5 minutes after the expire time. Then, since the token seems to be adding 5 minutes to whatever time I set it to expire I set the expire time to:

DateTime.UtcNow.AddMinutes(-5).AddSecond(10);

我對(duì)此進(jìn)行了測(cè)試，到目前為止它還沒(méi)有過(guò)期(十多分鐘后).有人可以解釋為什么會(huì)發(fā)生這種情況以及我做錯(cuò)了什么嗎?此外，如果您在我提供的代碼中看到任何其他內(nèi)容，我們將不勝感激，因?yàn)槲沂鞘褂?JWT 和這個(gè)庫(kù)的新手.

I tested this and so far it still hasn't expired (After more than ten minutes). Can someone please explain why this is happening and what I am doing wrong? Also, if you see anything else with the code I provided any guidance would be appreciated since I am new to using JWTs and this library.

推薦答案

閱讀@Denis Kucherov 的回答后，我發(fā)現(xiàn)我可以使用他發(fā)布的同一個(gè)自定義驗(yàn)證器，而無(wú)需使用需要我添加的 JwtBearerOptions 類(lèi)一個(gè)新的圖書(shū)館.

After reading through @Denis Kucherov's answer, I found out that I could use the same custom validator he posted without using the JwtBearerOptions class which would have required me to add a new library.

另外，由于有兩個(gè)命名空間包含許多相同的類(lèi)，我將確保提到所有這些都使用 System.IdentityModels... 命名空間.(不是 Microsoft.IdentityModels...)

Also, Since there are two namespaces which contain a lot of these same classes I will make sure to mention that all of these are using the System.IdentityModels... namespaces. (NOT Microsoft.IdentityModels...)

下面是我最終使用的代碼:

Below is the code I ended up using:

private bool CustomLifetimeValidator(DateTime? notBefore, DateTime? expires, SecurityToken tokenToValidate, TokenValidationParameters @param)
{
    if (expires != null)
    {
        return expires > DateTime.UtcNow;
    }
    return false;
}
private JwtSecurityToken ValidateJwtToken(string tokenString)
{
   string secret = ConfigurationManager.AppSettings["jwtSecret"].ToString();
   var securityKey = new InMemorySymmetricSecurityKey(Encoding.Default.GetBytes(secret));
   JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
   TokenValidationParameters validation = new TokenValidationParameters()
   {
       ValidAudience = "MyAudience",
       ValidIssuer = "MyIssuer",
       ValidateIssuer = true,
       ValidateLifetime = true,
       LifetimeValidator = CustomLifetimeValidator,
       RequireExpirationTime = true,
       IssuerSigningKey = securityKey,
       ValidateIssuerSigningKey = true,
   };
   SecurityToken token;
   ClaimsPrincipal principal = handler.ValidateToken(tokenString, validation, out token);
   return (JwtSecurityToken)token;
}

這篇關(guān)于JwtSecurityToken 不會(huì)過(guò)期的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！