Home > front end >  Identity Server exception - Lifetime validation failed and Unable to decode the header 'System.
Identity Server exception - Lifetime validation failed and Unable to decode the header 'System.

Time:04-05

When the token is expired or tampered token is passed to call an api in postman, I get exception as mentioned below. Now how to return this as proper response is my concern in asp.net core.

Token expired:

Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired. ValidTo: 'System.DateTime', Current time: 'System.DateTime'.
   at Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime(Nullable`1 notBefore, Nullable`1 expires, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateLifetime(Nullable`1 notBefore, Nullable`1 expires, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

Token tampered and passed:

System.ArgumentException: IDX12729: Unable to decode the header 'System.String' as Base64Url encoded string. jwtEncodedString: 'System.String'.
 ---> System.FormatException: IDX10400: Unable to decode: 'System.String' as Base64url encoded string.
   at Microsoft.IdentityModel.Tokens.Base64UrlEncoder.DecodeBytes(String str)
   at Microsoft.IdentityModel.Tokens.Base64UrlEncoder.Decode(String arg)
   at System.IdentityModel.Tokens.Jwt.JwtHeader.Base64UrlDeserialize(String base64UrlEncodedJsonString)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityToken.Decode(String[] tokenParts, String rawData)
   --- End of inner exception stack trace ---
   at System.IdentityModel.Tokens.Jwt.JwtSecurityToken.Decode(String[] tokenParts, String rawData)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ReadJwtToken(String token)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

CodePudding user response:

You can re-install the Newtonsoft.Json library via Nuget. Or adding the Newtonsoft.Json dll to your project, it will fix the issue.

CodePudding user response:

The proper response from the API is to always return a 401 Unauthorized status code regardless if the token is expired or invalid/tampered. That is all that the client should care about.

Returning to detailed information about why it failed can actually help the attacker.

  • Related