Add a TTL to the OpenIdConnect validation

device-telemetry/WebService/Auth/AuthMiddleware.cs

@@ -54,6 +54,7 @@ namespace Microsoft.Azure.IoTSolutions.DeviceTelemetry.WebService.Auth
         private TokenValidationParameters tokenValidationParams;
         private readonly bool authRequired;
         private bool tokenValidationInitialized;
+        private DateTime tokenValidationExpiration;
         private readonly IUserManagementClient userManagementClient;
 
         public AuthMiddleware(
@@ -70,6 +71,7 @@ namespace Microsoft.Azure.IoTSolutions.DeviceTelemetry.WebService.Auth
             this.log = log;
             this.authRequired = config.AuthRequired;
             this.tokenValidationInitialized = false;
+            this.tokenValidationExpiration = DateTime.UtcNow;
             this.userManagementClient = userManagementClient;
 
             // This will show in development mode, or in case auth is turned off
@@ -87,7 +89,8 @@ namespace Microsoft.Azure.IoTSolutions.DeviceTelemetry.WebService.Auth
                     this.config.JwtIssuer,
                     this.config.JwtAudience,
                     this.config.JwtAllowedAlgos,
-                    this.config.JwtClockSkew
+                    this.config.JwtClockSkew,
+                    this.config.OpenIdTimeToLive
                 });
 
                 this.InitializeTokenValidationAsync(CancellationToken.None).Wait();
@@ -220,7 +223,8 @@ namespace Microsoft.Azure.IoTSolutions.DeviceTelemetry.WebService.Auth
 
         private async Task<bool> InitializeTokenValidationAsync(CancellationToken token)
         {
-            if (this.tokenValidationInitialized) return true;
+            // If the token has been initialized and is not past expiry, return.
+            if (this.tokenValidationInitialized && !this.TokenValidationExpired()) return true;
 
             try
             {
@@ -248,6 +252,7 @@ namespace Microsoft.Azure.IoTSolutions.DeviceTelemetry.WebService.Auth
                 };
 
                 this.tokenValidationInitialized = true;
+                this.tokenValidationExpiration = DateTime.UtcNow.Add(this.config.OpenIdTimeToLive);
             }
             catch (Exception e)
             {
@@ -256,5 +261,14 @@ namespace Microsoft.Azure.IoTSolutions.DeviceTelemetry.WebService.Auth
 
             return this.tokenValidationInitialized;
         }
+
+        /// <summary>
+        /// Checks if the OpenId Connect token has hit the expiration time.
+        /// </summary>
+        /// <returns>true if the token has expired</returns>
+        private bool TokenValidationExpired()
+        {
+            return this.tokenValidationExpiration > DateTime.UtcNow;
+        }
     }
 }

device-telemetry/WebService/Auth/ClientAuthConfig.cs

@@ -36,6 +36,12 @@ namespace Microsoft.Azure.IoTSolutions.DeviceTelemetry.WebService.Auth
         // Clock skew allowed when validating tokens expiration
         // Default: 2 minutes
         TimeSpan JwtClockSkew { get; set; }
+
+        // Time to live for the OpenId Connect validation token.
+        // The metadata settings will expire so the token needs to be
+        // periodically recreated.
+        // Default: 7 days
+        TimeSpan OpenIdTimeToLive { get; set; }
     }
 
     public class ClientAuthConfig : IClientAuthConfig
@@ -49,5 +55,6 @@ namespace Microsoft.Azure.IoTSolutions.DeviceTelemetry.WebService.Auth
         public string JwtIssuer { get; set; }
         public string JwtAudience { get; set; }
         public TimeSpan JwtClockSkew { get; set; }
+        public TimeSpan OpenIdTimeToLive { get; set; }
     }
 }

device-telemetry/WebService/Runtime/Config.cs

@@ -70,6 +70,9 @@ namespace Microsoft.Azure.IoTSolutions.DeviceTelemetry.WebService.Runtime
         private const string JWT_AUDIENCE_KEY = JWT_KEY + "aadAppId";
         private const string JWT_CLOCK_SKEW_KEY = JWT_KEY + "clockSkewSeconds";
 
+        private const string OPEN_ID_KEY = APPLICATION_KEY + "ClientAuth:OpenIdConnect:";
+        private const string OPEN_ID_TTL_KEY = OPEN_ID_KEY + "timeToLiveDays";
+
         private const string ACTIONS_KEY = "Actions:";
         private const string ACTIONS_EVENTHUB_NAME = ACTIONS_KEY + "actionsEventHubName";
         private const string ACTIONS_EVENTHUB_CONNSTRING = ACTIONS_KEY + "actionsEventHubConnectionString";
@@ -136,6 +139,8 @@ namespace Microsoft.Azure.IoTSolutions.DeviceTelemetry.WebService.Runtime
                 JwtAudience = configData.GetString(JWT_AUDIENCE_KEY, String.Empty),
                 // By default the allowed clock skew is 2 minutes
                 JwtClockSkew = TimeSpan.FromSeconds(configData.GetInt(JWT_CLOCK_SKEW_KEY, 120)),
+                // By default the time to live for the OpenId connect token is 7 days
+                OpenIdTimeToLive = TimeSpan.FromDays(configData.GetInt(OPEN_ID_TTL_KEY, 7))
             };
         }
     }

device-telemetry/WebService/WebService.csproj

@@ -16,7 +16,7 @@
     <PackageReference Include="Microsoft.AspNetCore" Version="2.0.1" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc" Version="2.0.1" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Ini" Version="2.0.0" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="2.1.4" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="5.4.0" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\Services\Services.csproj" />

device-telemetry/WebService/appsettings.ini

@@ -93,6 +93,12 @@ aadAppId=""
 ; Default: 2 minutes
 clockSkewSeconds = 300
 
+[TelemetryService:ClientAuth:OpenIdConnect]
+; Time to live for the OpenId Connect validation token.
+; The metadata settings will expire so the token needs to be periodically recreated.
+; Default: 7 days
+timeToLiveDays = 7
+
 [KeyVault]
 aadAppId = ${PCS_AAD_APPID}
 aadAppSecret = ${PCS_AAD_APPSECRET}