Access Token not getting invalidated after AccessTokenLifetime is passed

[akamud]

I configured my Client using AccessTokenLifetime to 10 minutes, like this:

public void ConfigureDefaultValues()
        {
            AccessTokenType = (int)IdentityServer4.Models.AccessTokenType.Jwt;
            AccessTokenLifetime = (int)TimeSpan.FromMinutes(10).TotalSeconds;
            UpdateAccessTokenClaimsOnRefresh = true;
            IdentityTokenLifetime = (int)TimeSpan.FromMinutes(10).TotalSeconds;
            AuthorizationCodeLifetime = (int)TimeSpan.FromMinutes(5).TotalSeconds;
            AbsoluteRefreshTokenLifetime = (int)TimeSpan.FromDays(30).TotalSeconds;
            RefreshTokenExpiration = (int)TokenExpiration.Sliding;
            RefreshTokenUsage = (int)TokenUsage.ReUse;
            SlidingRefreshTokenLifetime = (int)TimeSpan.FromDays(15).TotalSeconds;
            Enabled = true;
            IncludeJwtId = true;
            EnableLocalLogin = true;
            AllowAccessToAllScopes = true;
            LogoutSessionRequired = true;
            AllowedGrantTypes = new List<ClientGrantType>
            {
                new ClientGrantType { GrantType = GrantType.AuthorizationCode },
                new ClientGrantType { GrantType = GrantType.ClientCredentials },
            };
        }

I then logged in (code flow) and got a new access_token for this client using UseOpenIdConnectAuthentication:

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
                {
                    UseTokenLifetime = true,
                    AuthenticationScheme = "oidc",
                    SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme,
                    Authority = configuration["AuthorityHost"],
                    RequireHttpsMetadata = false,
                    AutomaticChallenge = true,

                    ClientId = configuration["ClientId"],
                    ClientSecret = configuration["ClientSecret"],

                    ResponseType = OpenIdConnectResponseType.Code,
                    Resource = configuration["AuthorityHost"],
                    Scope = { "api", StandardScopes.OpenId.Name, StandardScopes.Profile.Name, StandardScopes.Email.Name, StandardScopes.OfflineAccess.Name },
                    GetClaimsFromUserInfoEndpoint = true,

                    SaveTokens = true,
                });

I saw from a closed issue that I should not look at the values inside access_token, so I'm ignoring the fact that the exp value inside the access_token is still 1 hour, not matching the value I configured (10 minutes).
But the problem is that my API is still accepting incoming requests from an "expired" access_token.

Just to be clear, my API validates the token using Bearer AuthenticationScheme:

var jwtOptions = new JwtBearerOptions
                {
                    Authority = configuration["AuthorityHost"],
                    RequireHttpsMetadata = false,
                    Audience = $"{configuration["AuthorityHost"]}resources",
                    AutomaticAuthenticate = true,
                    AuthenticationScheme = "Bearer",
                };

Later used in my controllers:

[Authorize(ActiveAuthenticationSchemes = "Bearer")]

What am I doing wrong here? Is this a bug?

[akamud]

Answering my own question: this is not a bug.

My code would override the AccessTokenLifetime value in a very obscure place that I missed before opening the issue.

Closing this.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.