asp.net identity expire bearer token after 20 min

Question

i have a web service, users can login to service and give bearer token.

in local everything is good, but in server (shared host, windows 2012, iis 8.5) after 20 min, token has been expired !!!

my AccessTokenExpireTimeSpan is :

AccessTokenExpireTimeSpan = TimeSpan.FromDays(900),

also in my first request, i give a delay about 5 sec. what is problem ?

Answer 1

I asume that you in production have multiple servers. And ASP.NET Identity is using the server's machine key to generate the token bearer. So after 20 minutes you have been "redirected" to another server with another machine key.

One solution is to override the machine key of the servers. With setting the machine key in the web.config. So all servers has the same machine key.

<machineKey validationKey="534766AC57A2A2F6A71E6F0757A6DFF55526F7D30A467A5CDE102D0B50E0B58D613C12E27E7E778D137058E" decryptionKey="7059303602C4B0B3459A20F9CB631" decryption="Auto" validation="SHA1"/>

How to generate and set machine keys:
https://technet.microsoft.com/sv-se/library/cc755177%28v=ws.10%29.aspx http://docs.orchardproject.net/Documentation/Setting-up-a-machine-key

Solution 2 - If don't have access to IIS

If you dont' want to modify the machineKey on the IIS or doesn't have access to it you can ovveride ASP.NET Identity token provider easily by ovveriding the default settings in the startup.cs file.

An example of that can you find here: https://github.com/eashi/Samples/blob/master/OAuthSample/OAuthSample/App_Start/Startup.Auth.cs