JWT token exception in ASP.Net (Lifetime validation failed. The token is missing an Expiration Time.)

@aha, it looks like you solved your problem by shortening your expiration datetime to just one year in the future. Which works, but if you want to understand the underlying architectural reason why it was failing before (and as such make appropriate architectural changes in your own code), you can read this SO post here: https://stackoverflow.com/a/46654832/1222775.

The bottom line is that expiration date for JWTs validated against the Microsoft owin middle ware have an upper limit of 2147483647 (which also happens to be Int32.MaxValue), and that translates to: Tue, 19 Jan 2038 03:14:07 GMT

In your SO question, the debug output you posted showing the "exp" claim value you used, was a value of 33051661101 which translates to: Wednesday, May 14, 3017 8:58:21 AM which blows past Microsoft's upper limit for the exp value by almost 80 years :).

I hope Microsoft will solve this issue soon, but in the mean time for anyone experiencing a similar issue, try no to issue too long lasting tokens, or at least, don't make it go past Tue, 19 Jan 2038 @ 03:14:07 GMT :).


Following the suggestion here, I fixed the problem by switching from using

System.IdentityModel.Tokens.Jwt.TokenHandler.CreateToken(SecurityTokenDescriptor)

to

new System.IdentityModel.Tokens.Jwt.JwtSecurityToken(JwtHeader, JwtPayload).

And defined the payload as follows:

DateTime centuryBegin = new DateTime(1970, 1, 1);
var exp = new TimeSpan(DateTime.Now.AddYears(1).Ticks - centuryBegin.Ticks).TotalSeconds;
var now = new TimeSpan(DateTime.Now.Ticks - centuryBegin.Ticks).TotalSeconds;
var payload = new System.IdentityModel.Tokens.Jwt.JwtPayload
{
    {"iss", issuer},
    {"aud", audience},
    {"iat", (long)now},
    {"exp", (long)exp}
};

So, I ended up not using the SecurityTokenDescriptor class because it expects DateTime objects to be assigned to Expirs and IssuedAt, or Lifetime properties (depending on whether it is in the Microsoft.IdentityModel.Tokens or System.IdentityModel.Tokens namespace).

I have no intention of using SecurityTokenDescriptor; however, I couldn't find a solution on how to use SecurityTokenDescriptor and still set correct values to the "exp" field.