I'm working on a abp project where I need to handle time incompatibility for users whose systems might have incorrect time settings. I've attempted to address this by configuring the ClockSkew in my AuthServer module as shown below:
public override void PreConfigureServices(ServiceConfigurationContext context)
{
PreConfigure<OpenIddictBuilder>(builder =>
{
builder.AddValidation(options =>
{
options.AddAudiences("X");
options.UseLocalServer();
options.UseAspNetCore();
options.Configure(opt =>
{
opt.TokenValidationParameters.ClockSkew = new TimeSpan(0, 2, 0, 0);
});
});
});
PreConfigure<OpenIddictServerBuilder>(builder =>
{
builder.SetAuthorizationCodeLifetime(TimeSpan.FromDays(365));
builder.SetAccessTokenLifetime(TimeSpan.FromDays(365));
builder.SetIdentityTokenLifetime(TimeSpan.FromDays(365));
builder.SetRefreshTokenLifetime(TimeSpan.FromDays(365));
});
}
Users are able to log in to the AuthServer app successfully. However, when they are redirected to the Blazor WASM app, the following error message is displayed: "There was an error trying to log you in". This suggests that the ClockSkew setting is not working as expected.
Could anyone provide guidance on how to resolve this issue?
Support for the TokenValidationParameters.ClockSkew was added in OpenIddict 5.0. That said, it only affects validation performed by the OpenIddict client, server or validation stacks.
If you want to change the rules of the validation routine performed by the Blazor WASM OIDC client, you'll need to get your hands dirty: a ClockSkew option exists in oidc-client-js (the library used under the hood by Blazor), but it's not very easy to set it. See https://github.com/dotnet/aspnetcore/issues/36028 for some hints.