Management API tokens don't really expire -- Auth0/Kong

harry2 · September 6, 2017, 5:46pm

I’ve got an application that sends Auth0 client credentials and receives a token in return which can be used to later on to access a protected resource. Now I’ve set the expiration time of the token to 60 seconds as demonstrated in the picture below, and yes I did press save. Also, I included an image of my console containing the output of the post request to retrieve the token, and you can see clearly that it states its expiration in 60 seconds. The problem is when I initiate a request to the access the protected resource after the elapsed time, 60 seconds, it still works! So, am I missing a critical configuration part or what?!
![alt text][1]

![alt text][2]

Update:

I don’t precisely trigger a request after the passage of 60 seconds; I wait for about minute or two later just to be sure.

I can’t really share the full token but here are the parts you could make a use of:

"exp": 1504779400,
"iat": 1504779340,
"scope": "read:resource_servers update:resource_servers"

BTW, I’m using Kong – https://getkong.org/ to use the tokens after retrieving them to access my protected resources.
JWT plugin | Kong Docs

And to be honest I’m not really sure about the consumers part, so in general could have contributed to this problem?!

jmangelo · September 7, 2017, 5:11pm

I could not reproduce the issue in question, but to be honest I issued a token with an expiration of 60 seconds and might have done the test only after a minute and a half had elapsed as I was not being very strict given this was in the order of seconds and your question seems around an issue with them not expiring at all.

Were you making the test immediately after you considered the 60 seconds to have passed or did you also tried a minute or two later and the token was still valid? If it’s the latter, then you should include in the question the payload section of the JWT token (or even just the iat and exp claims in case you don’t want to disclose the other ones).

harry2 · September 7, 2017, 5:24pm

first off, big thanks for stepping in and helping me out with this problem as I’ve been going at it for a couple of days without a shred of hope.

harry2 · September 7, 2017, 5:24pm

first off, big thanks for stepping in and helping me out with this problem as I’ve been going at it for a couple of days without a shred of hope.

jmangelo · September 7, 2017, 9:23pm

Based on the update the token seems to have been issued correctly, the iat differs 60 seconds from the exp. However your usage of Kong is something that causes me doubt because I never used it. My test was obtaining a Management API access token manually and then calling an API endpoint with it. Given I set the expiration to be 60 seconds doing the request after the 60 seconds resulted in an error. I would advise to do the same test, because if this is Kong related then I may not be able to help.

harry2 · September 7, 2017, 10:40pm

Thanks bud, I’ll try to replicate the process using the link you provided, and to also read thoroughly about what Kong does behind the curtains to understand things better, and I’ll report back to you.

harry2 · September 10, 2017, 4:01pm

It’s working, all I had to do was to enable “exp” detection in Kong.
FYI, I’m using Kongdash to configure my Kong application.![alt text][1]