-
Notifications
You must be signed in to change notification settings - Fork 413
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expiration date is limited to Tue, 19 Jan 2038 03:14:07 GMT #92
Comments
I used int32 as it maps nicely to epoch time. You are correct that in 2038, it wraps. |
In theory this is a detail. In practice, we've had the fuzz about Y2K and we somehow would avoid something similar (although I fully admit that 2038 is still a lot of time). It's up to you what you do with it. |
Closing this issue for now, 2038 is way in the future. We can revisit this later. |
This is still a bug, please reopen. |
This is still a bug, please reopen. (2) |
@silverferrum Changing JwtPayload.Exp to long? would be breaking and would cause problems for many users. We could add a new property that returns long? |
@brentschmaltz hi! So I cannot advise you how to fix that because I do not use JwtPayload.Exp property directly but the AuthorizeAttribute does. |
@silverferrum I am curious why you need a date so far in the future? Can you share how you are using the AuthorizeAttribute? |
Currently, it is not creating a bug for me but it is weird that token is generated with correct expiration but can't validate it.
And then you just add the AuthorizeAttribute to the ASP.NET Core Controller. |
@silverferrum the problem is the api returns an int (our mistake). If we change it to return a long we will break users. That is why we would need a new API. Breaking users is a really bad thing in today's world of multiple dependencies. |
I think you are right. Maybe, adding the long field with marking the int field as obsolete will be good idea for a couple of years. |
Today is 22.11.2021, problem still exist - System.IdentityModel.Tokens.Jwt, Version=6.14.1.0. Please, introduce major release with Y2K fix. One day the users with old version of this package will get broken application. That's sad. |
A developer reported an issue to dotnet/runtime that was ultimately this issue. dotnet/runtime#63001 (comment) |
This issue has cost me days of work trouble shooting. Please make the Int32 value obsolete and add an 64-bit version of the property that gets used by the validators. |
@ggeurts ouch, that is painful. |
Is this issue has been solved? Or still the same? |
@andylai we haven't got to it yet. |
On same boat here, spent some days trying to figure out what was wrong until I landed here. |
The problem still exists. |
For anyone who needs a workaround: we worked around this by setting TokenValidationParameters.RequireExpirationTime to false if exp overflows.
|
I need this one fixed. The workarounds doesn't work for me. |
This workaround is very limited because the time validation may be different for different bearers (e.g., different users with different roles, different systems with different expiration times...) and some bearers need to be validated against time (with a short period of time, like 5 minutes) and others "don't" (15 years). I agree it may solve the issue for some users that has only one expiration time, but for others, it will just remove an important validation. |
This actually works in our case because we are creating a new TokenValidationParameters instance for every single validation (we are not using using the ASP.NET Core extension methods where this may not be possible). But yes, it's a bad workaround and I'm quite dissappointed that this still hasn't been fixed. 2038 is not that far off anymore and the longer the fix takes, the more legacy software will be broken by this. |
Same problem here. We really need a fix for this! |
Yeah, this needs to be fixed....reported 8 years ago and the problem persists? |
This is fixed in IdentityModel 7. |
IIUC, IdentityModel 7 doesn't support .NET Framework (#2123); how can I get the year 2038 fix for .NET Framework? |
I was using the version 0.1.0 of the nuget up until now. We are switching to the new nuget. To make sure that everything which worked before still works, I wrote some regression tests. One of them is "a token that was valid using the old handler should still be valid". To be able to test this, a serialized tons of jwt tokens using all of my RP settings and created a fake token with an expiration date at new DateTime(4321, 1, 1). (To be easy to visually see if it is correct) To my surprise this test failed with the current implementation. "IDX10225: Lifetime validation failed. The token is missing an Expiration Time.". I reverified my token which had ""nbf":0,"exp":74190380400". After a debugging session I noticed that there was an overflow exception (which is eaten by the handler). I saw that the claim is read using an int32. In practical situations this might be enough but I would have preferred the usage of an int64 for this. What do you think ?
The text was updated successfully, but these errors were encountered: