OAuth2 refreshing access token broken on Azure (SecurityTokenExpiredException: IDX10223: Lifetime validation failed. )

[courtzzz]

Question

THis issue maybe related to #1689 - but no fix is provided in this issue without changing the client - which I cannot do.

I have a fairly standard requirement for an oAuth2 service which allows the client to request the offline_access token and exchange the refresh token for an access token when it has expired.

Although this doesn't seem to be working at all. My client is integrating into Zapier. The zapier client is able to authenticate fine. However, after an hour the token seems to have expired BUT the client hasn't been able to retrieve a new token for whatever reason.

The following shows my persisted grants table showing that (I think) the refresh token has been accessed or created although the expiry time seems to be before the creation time??:

and my client looks like this - details extracted:

Only another thing in the Identityserver4 logs is the following:

Relevant parts of the log file

2020-08-19 23:03:37.265 +00:00 [DBG] Endpoint enabled: Userinfo, successfully created handler: IdentityServer4.Endpoints.UserInfoEndpoint
2020-08-19 23:03:37.483 +00:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.UserInfoEndpoint for /connect/userinfo
2020-08-19 23:03:37.974 +00:00 [DBG] Start userinfo request
2020-08-19 23:03:38.508 +00:00 [DBG] Bearer token found in header
2020-08-19 23:03:39.090 +00:00 [INF] Removing 0 grants
2020-08-19 23:03:39.315 +00:00 [INF] Removing 0 device flow codes
2020-08-19 23:03:42.814 +00:00 [INF] JWT token validation error: IDX10223: Lifetime validation failed. The token is expired. ValidTo: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]', Current time: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired. ValidTo: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]', Current time: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
at Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime(Nullable1 notBefore, Nullable1 expires, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateLifetime(Nullable1 notBefore, Nullable1 expires, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at IdentityServer4.Validation.TokenValidator.ValidateJwtAsync(String jwt, IEnumerable`1 validationKeys, Boolean validateLifetime, String audience)
2020-08-19 23:03:45.252 +00:00 [DBG] AuthenticationScheme: Identity.Application was not authenticated.
2020-08-19 23:03:45.470 +00:00 [DBG] AuthenticationScheme: Identity.Application was not authenticated.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.