skip to Main Content

When the token is expired or tampered token is passed to call an api in postman, I get exception as mentioned below. Now how to return this as proper response is my concern in asp.net core.

Token expired:

Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired. ValidTo: 'System.DateTime', Current time: 'System.DateTime'.
   at Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime(Nullable`1 notBefore, Nullable`1 expires, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateLifetime(Nullable`1 notBefore, Nullable`1 expires, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

Token tampered and passed:

System.ArgumentException: IDX12729: Unable to decode the header 'System.String' as Base64Url encoded string. jwtEncodedString: 'System.String'.
 ---> System.FormatException: IDX10400: Unable to decode: 'System.String' as Base64url encoded string.
   at Microsoft.IdentityModel.Tokens.Base64UrlEncoder.DecodeBytes(String str)
   at Microsoft.IdentityModel.Tokens.Base64UrlEncoder.Decode(String arg)
   at System.IdentityModel.Tokens.Jwt.JwtHeader.Base64UrlDeserialize(String base64UrlEncodedJsonString)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityToken.Decode(String[] tokenParts, String rawData)
   --- End of inner exception stack trace ---
   at System.IdentityModel.Tokens.Jwt.JwtSecurityToken.Decode(String[] tokenParts, String rawData)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ReadJwtToken(String token)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

The above mentioned problems are handled after adding the following,
image link

Now iam facing with new exceptionimage link

2

Answers


  1. You can re-install the Newtonsoft.Json library via Nuget. Or adding the Newtonsoft.Json dll to your project, it will fix the issue.

    Login or Signup to reply.
  2. The proper response from the API is to always return a 401 Unauthorized status code regardless if the token is expired or invalid/tampered. That is all that the client should care about.

    Returning to detailed information about why it failed can actually help the attacker.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search