handler.CreateJwtSecurityToken(descriptor); IDX12401

Question

When my server runs locally (GTM+1) all is fine when i place my server in -8 timezone e.g.

Then I get an Message:

IDX12401: Expires: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]' must be after NotBefore: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.

This seems to be because

Expires = DateTime.Now.AddMinutes(30),

... other code ...

JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
JwtSecurityToken token = handler.CreateJwtSecurityToken(descriptor);

Errors out. The strange thing is that the Expires field is the current time in that zone +30 minutes (which is what is configured +30 minutes). This is strange. Why does it not allow logging in and immediately expires with that message but only when in a -X time zone while the time shown is actually 30 minutes in the future.

Answer 1

The error isn't clear of what exactly has to be done, but if you look for long enough you can find that there is another attribute called "NotBefore", the error is talking about that property.

As you can see in the documentation both "NotBefore" and "Expires" properties should be in UTC, so, as you've already guessed, the validation uses DateTime.UtcNow. Therefore if you live in a country with a negative timezone you should be facing this problem.

The solution is kind of simple:

var date = DateTime.UtcNow;
var tokenDescriptor = new SecurityTokenDescriptor
{
    Expires = date.AddMinutes(10),
    NotBefore = date,
};

Also, it is important to notice that the "NotBefore" property will be translated into the "nbf" field (not valid before), consequently if you insert a value higher than UtcNow you might have some unintended issues.