I'm using Json Web Tokens for my ASP.NET Web API... and thinktectures identity model.
So within my web api Startup.cs I call the IdentityModelJwtBearerAuthenticationExtensions extension method as below:
app.UseJsonWebToken(
issuer: Constants.IssuerName,
audience: Constants.Audience,
signingKey: Constants.SigningKey
);
I then decorate my API Controllers with AuthorizeAttribute.
Ok great thats fine! All good.
But when a token expires.... All I get is a 401 unauthorised.
I'll like to have the SecurityTokenValidationException ("Lifetime validation failed. The token is expired") from the JwtSecurityTokenHandler bubble up and be visible in the Web API.
How do I do that?
I've looked around and can't see the right direction to take.
Is it to do with the JwtBearerAuthenticationOptions?
Cheers for any wisdom.
That's not how Katana authentication middleware works. If validation fails, no principal gets populated and thus authorization will fail.
Also your web api cannot do anything about that, it is the client that needs to take appropriate actions. In OAuth it is also expected, that the client keeps track of expiration times.