You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which version of Duende IdentityServer are you using?
7.0.0
Which version of .NET are you using?
8.0.204
Describe the bug
An accessToken that has expired still returns { Active: true } from the introspection endpoint.
Could this be to do with clockSkew? I've hit this problem clientSide, but didn't know if the introspection endpoint follows the same pattern for token validation (aspnetcore by default is 5 mins)
To Reproduce
Create a client_credentials client with accessToken expiry of 5 minutes (300s)
Request an accessToken using client_credentials client
Wait for 5mins (added additional 30s to be sure)
Using the introspection endpoint with basic auth using client_credentials details from 1., get the introspection details about the token
Although the accessToken is expired, the model still contains { Active: true }
note the time in the logs at 2024-05-02 14:40:08.959297 Debug . - Token validation success is after the "exp": 1714657203, which converted to DateTime is 02/05/2024 14:40:03
Additional context
N/A
The text was updated successfully, but these errors were encountered:
I'm curious why you are sending JWTs to the introspection endpoint. As its main purpose is to work with reference tokens.
It works with JWTs for the rare cases where clients that are for some reason not able to do token validation themselves.
As you mentioned this has to do with ClockSkew which by default is set to 300 seconds (5 minutes). It is not designed to be customizable at this point because it is part of the TokenValidator which is critical for the operation of IdentityServer.
In the ValidateJwtAsync method an instance of TokenValidationParameters is created which has the clockskew set to 5 minutes.
The only way to deviate from that really is to use your own TokenValidator that sets a different value for the ClockSkew in the TokenValidationParameters. But we don't recommend that. The default value should suffice for the vast majority of cases.
Which version of Duende IdentityServer are you using?
7.0.0
Which version of .NET are you using?
8.0.204
Describe the bug
An accessToken that has expired still returns
{ Active: true }
from the introspection endpoint.Could this be to do with clockSkew? I've hit this problem clientSide, but didn't know if the introspection endpoint follows the same pattern for token validation (aspnetcore by default is 5 mins)
To Reproduce
{ Active: true }
Expected behavior
The introspection endpoint returns Active: false as documented https://docs.duendesoftware.com/identityserver/v7/reference/endpoints/introspection/
Log output/exception with stacktrace
note the time in the logs at
2024-05-02 14:40:08.959297 Debug . - Token validation success
is after the"exp": 1714657203
, which converted to DateTime is02/05/2024 14:40:03
Additional context
N/A
The text was updated successfully, but these errors were encountered: