.NetCore JwtBearerAuthentication not rejecting expired tokens

Question

I am generating JWT's to use with my WebApi project. I'm set the token to expire in one minute so that I can test if it rejects the token when submitted after the expiration date.

CreateToken Controller

public async Task<IActionResult> CreateToken([FromBody] CredentialModel model) {     var user = await _unitOfWork.UserManager.FindByNameAsync(model.UserName);      if (user == null) return BadRequest();     if (Hasher.VerifyHashedPassword(user, user.PasswordHash, model.Password) !=         PasswordVerificationResult.Success) return BadRequest();      var userClaims = await UserManager.GetClaimsAsync(user);      var claims = new[]     {         new Claim(JwtRegisteredClaimNames.Sub, user.UserName),         new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),         new Claim(JwtRegisteredClaimNames.Iat, DateTime.UtcNow.ToString()),         new Claim(JwtRegisteredClaimNames.GivenName, user.FirstName),          new Claim(JwtRegisteredClaimNames.FamilyName, user.LastName),         new Claim(JwtRegisteredClaimNames.Email, user.Email)     }     .Union(userClaims);      var cert = new Certificate(Configuration["Tokens:Certificate"]);     var token = new JwtSecurityToken(         issuer: Configuration["Tokens:Issuer"],         audience: Configuration["Tokens:Audience"],         claims: claims,         expires: DateTime.UtcNow.AddMinutes(1),         signingCredentials: cert.Signature     );      return Ok(new     {         token = new JwtSecurityTokenHandler().WriteToken(token),         expiration = token.ValidTo     }); } 

Token Authentication - Startup Class

app.UseJwtBearerAuthentication(new JwtBearerOptions() {     AutomaticAuthenticate = true,     AutomaticChallenge = true,     TokenValidationParameters = new TokenValidationParameters()     {         ValidIssuer = Configuration["Tokens:Issuer"],         ValidAudience = Configuration["Tokens:Audience"],         ValidateIssuerSigningKey = true,         IssuerSigningKey = new Certificate(Configuration["Tokens:Certificate"]).SecurityKey,         ValidateLifetime = true     }, }); 

Although I am setting validateLifetime = true the tokes are not rejected two minutes later. It will keep accepting the token. Is there a minimum expiration time that I am not aware of or is my setup wrong?

Answer 1

I stumbled over the answer here if anyone is interested. Default value for ClockSkew is 5 minutes.

app.UseJwtBearerAuthentication(new JwtBearerOptions() {     AutomaticAuthenticate = true,     AutomaticChallenge = true,     TokenValidationParameters = new TokenValidationParameters()     {         ValidIssuer = Configuration["Tokens:Issuer"],         ValidAudience = Configuration["Tokens:Audience"],         ValidateIssuerSigningKey = true,         IssuerSigningKey = new Certificate(certPath: Configuration["Tokens:Certificate"], isValid: false).SecurityKey,         ValidateLifetime = true,         ValidateIssuer = true,         ValidateAudience = true,         ClockSkew = TimeSpan.Zero     }, });