Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET Web API Authorization tokens expiring early

I have implemented security for my web api (individual accounts) as discussed here.

I have hosted the website on godaddy (shared hosting) and its working fine. When I ask for token by using url "domain.com/token", I get the token with expiration date of within 15 days. I have set this in "StartupAuth.cs" using

AccessTokenExpireTimeSpan = TimeSpan.FromDays(15)

e.g.:

{
  "access_token":"qwertyuiop.....",
  "token_type":"bearer",
  "expires_in":1209599, 
  "userName":"[email protected]",
  ".issued":"Wed, 11 Feb 2015 01:00:00 GMT",
  ".expires":"Thu, 26 Feb 2015 01:00:00 GMT"
}

(I put values in above code, but you get the idea of the ".expires" field.

5 minutes after getting the token, when I try and access "get" or "post" or any method in my API by passing authorization: bearer token in header as:

Authorization: Bearer qwertyuiop.....

I get this error:

{"Message":"Authorization has been denied for this request."}

Although its just been 5 minutes and token is supposed to last 15 days, it expires within 5 minutes. When I request any method "get"/"post" within interval of 5 minutes, I get the proper response with my data in JSON. In short, authorization succeeds.

I have repeated this behavior by testing it via Fiddler, REST plugin of Chrome and via the mobile app which uses the API.

I have web.config values for session as below (I thought its related)

<sessionState timeout="180" />

Note that forms authentication is not used, so timeout on that section in web.config is not necessary.

Any idea what's going on? This timeout is causing the users of mobile apps which use the API to re-login every now and then. Any help would be appreciated.

Thanks.

like image 850
Vaibhav J. Avatar asked Feb 12 '15 15:02

Vaibhav J.


People also ask

How long should API tokens last?

By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year.

Why do API tokens expire?

Access tokens can expire for many reasons, such as the user revoking an app, or if the authorization server expires all tokens when a user changes their password. If you make an API request and the token has expired already, you'll get back a response indicating as such.

Do API tokens expire?

Tokens are valid for 30 days from creation or last use, so that the 30 day expiration automatically refreshes with each API call. Tokens that aren't used for 30 days expire. The 30-day period is currently fixed and can't be changed for your organization.


1 Answers

Add to web.config not to be affected by app pool recycling

<system.web>
   <machineKey validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"
            decryptionKey="261F793EB53B761503AC445E0CA28DA44AA9B3CF06263B77"
            validation="SHA1"/>

Read here how to generate https://support.microsoft.com/en-us/kb/312906

like image 130
Toolkit Avatar answered Oct 10 '22 19:10

Toolkit