Jwt token leeway on API calls

Hi all,

Our application consists of an Angular App with a ServiceStack API (.net Framework 4.7.2.). For authentication, we are using an identityserver4.

The workflow for an authentication is as follows:

  1. User opens angular app
  2. User clicks “login button”, angular application is redirecting the user to an identityserver4
  3. Identityserver validates user credentials and issues access_token
  4. Angular App calls ServiceStack API with access_token (JWT) issued by identityserver

We now have the issue that under some mysterious circumstances, the API is refusing to accept the access_token. After a refresh of the angular App, exactly the same access_token is being accepted.
We believe that this has to do with the access_token not yet being valid (nbf time of jwt token). This can happen, if the time is not 100% in sync between the identityserver and the API Server.

Do you know, if there is a possibility to add a leeway into the validation of the nbf time on the API side?

This is our current Configuration:

Plugins.Add(new AuthFeature(() => new AuthUserSession(),
        new IAuthProvider[]
            new JwtAuthProviderReader(AppSettings)
                PopulateSessionFilter = (session, payload, req) =>
                    session.Roles = new List<string>() { payload["role"] };
                AuthRealm = xxx
                Audience ="api1",
                RequireSecureConnection = false,
                HashAlgorithm = "RS256",

                PrivateKey = xx
                PublicKey = xx
            IncludeAssignRoleServices = false,
            IncludeRegistrationService = false

I’m not following, are you using IdentityServer4 or ServiceStack’s JWT? Or are you trying to validate IdentityServer4 tokens with ServiceStack JWT?

Please excuse me, I may have been a bit short in explaining our system architecture. I have added the workflow of an authorization in the original post.

Regarding your question: We are validating an identityserver4 issued JWT token on a ServiceStack API

Ok though using IdentityServer4 tokens in ServiceStack JWT isn’t a supported or tested scenario. Why aren’t you validating IdentityServer4 tokens with Identity Server as per IdentityServer + ServiceStack docs? You’d generally always want to use the same library for issuing + validating tokens.

What’s the full HTTP Response Headers of an invalid request?

Ok, thanks for your answers and the hint that this is a not supported case.
I read the documentation prior the implementation, but the examples are for dotnet core and unfortunately we are still using .net framework. The NetCoreIdentityAuthProvider is not available there.

What is the supported way for validating identityserver generated jwt tokens for .net framework 4.7.2?

Your best option would be to run your ASP .NET Core App on the .NET Framework which would let you use the NetCoreIdentityAuthProvider that’s used to provide an Adapter for ASP .NET Identity Auth in ServiceStack.

Failing that you’d need to create a custom JWT AuthProvider that validates IdentityServer tokens, I’ve no experience with that but ServiceStack.Authentication.IdentityServer has an IdentityServerAuthFeature plugin that encapsulates registering different Auth Providers for different IdentityServer Auth flows. It hasn’t been updated in a couple of years so you’d need to download the source to get it working with a recent version of ServiceStack.

A lighter IdentityServer4 Auth Provider can be found in Custom Auth Provider for an Angular App, it uses ASP .NET Core but the JwtSecurityTokenHandler used to validate the JWT in System.IdentityModel.Tokens.Jwt supports .NET Framework. Though I wouldn’t bother with converting them into claims as all ServiceStack needs is a valid AuthUserSession assigned to the current request as done in:

var session = CreateSessionFromPayload(req, jwtPayload);
req.Items[Keywords.Session] = session;