JWT tokens (or Json Web Tokens) are an open-standard the defines a way to transmit information between 2 parties in a secure manner. Identity Server 4 uses JWT as a security token.

These tokens have an expiry timestamp, and if you handle the tokens yourself, you need to read the token expiry and refresh the token if the token is expired.

Microsoft have made a brilliant library, System.IdentityModel.Tokens.Jwt to handle JWT tokens, but the package does also have a lot of dependencies that were incompatible with my application, so I chose to use JWT.Net instead, as this package does not have any dependencies at all.

THE ANATOMY OF A JWT TOKEN:

A JWT token consists of a header, a payload and a signature. It is in the payload that you find the expiry timestamp in the “exp” field. The timestamp is the stupid UNIX timestamp format, but fear not, .NET knows how to convert the timestamp to a real DateTime.

STEP 1: CREATE A PAYLOAD MODEL CLASS

JWT.Net is not as powerful as System.IdentityModel.Tokens.Jwt, so you need to create a model class of the payload section. The class, however, is very simple:

namespace MyCode { public class JwtToken { public long exp { get; set; } } }

STEP2: USE JWT.Net TO GET THE EXPIRY FROM THE TOKEN PAYLOAD

Final step is to take the JWT Token string and decode it to the JwtToken class, then convert the UNIX timestamp to a local time:

using System; using JWT; using JWT.Algorithms; using JWT.Serializers; namespace MyCode { public class JWTService { private IJsonSerializer _serializer = new JsonNetSerializer(); private IDateTimeProvider _provider = new UtcDateTimeProvider(); private IBase64UrlEncoder _urlEncoder = new JwtBase64UrlEncoder(); private IJwtAlgorithm _algorithm = new HMACSHA256Algorithm(); public DateTime GetExpiryTimestamp(string accessToken) { try { IJwtValidator _validator = new JwtValidator(_serializer, _provider); IJwtDecoder decoder = new JwtDecoder(_serializer, _validator, _urlEncoder, _algorithm); var token = decoder.DecodeToObject<JwtToken>(accessToken); DateTimeOffset dateTimeOffset = DateTimeOffset.FromUnixTimeSeconds(token.exp); return dateTimeOffset.LocalDateTime; } catch (TokenExpiredException) { return DateTime.MinValue; } catch (SignatureVerificationException) { return DateTime.MinValue; } catch (Exception ex) { // ... remember to handle the generic exception ... return DateTime.MinValue; } } } }

That’s it. You are now a security expert. Happy coding.

FUNNY FINAL NOTE:

The term “JWT Token” is a redundant acronym syndrome, or RAS-syndrome. It is the use of the last word of the acronym in conjunction with the abbreviated form. It’s like saying “PIN number” or “PDF format”. In reality, when saying “JWT Token”, you are really saying “json web token token” :).

MORE TO READ: