How To Control App Token Lifetimes in SharePoint 2013


Today's post is the first selection from the little twitter contest I announced on the Share-n-Dipity blog a few days ago:  http://blogs.technet.com/b/speschka/archive/2013/09/04/use-social-tools-to-tell-me-what-you-want-to-see-here-next.aspx.  Shariq wanted to know more about the lifetime for high trust app tokens, as he tweeted here:

So we'll look at where you can control that, but we'll also see that at the end of the day it really doesn't matter.  The keys to controlling the token lifetime for apps in a high trust app is in TokenHelper.  If you look at the IssueToken method you'll see that there are one or two JWT tokens created – one if you are using an app only token, and a second if you are using tokens for the app and the current user.  In both cases it creates a JsonWebSecurityToken, and the fourth parameter used to create that token defines how long the token is valid for.  For the app token, TokenHelper uses a constant called TokenLifetimeMinutes that is set to a value of 1,000,000 by default.  Definitely not a value you should need to worry about in any scenario, unless of course you wanted to limit it (which is really the more interesting scenario).  For the user token, it is hard-coded by default to use a lifetime of 10 minutes.  So if you drill into the IssueToken method you can find those values and change them to whatever you want.  So why doesn't it really matter?

Well, if you dig further into the code, you see that TokenHelper includes a delegate that's invoked in the GetClientContextWithAccessToken method.  It's whole role in life is to add a bearer token to any request that comes from your app into SharePoint.  You can see it here:

clientContext.ExecutingWebRequest +=
                delegate(object oSender, WebRequestEventArgs webRequestEventArgs)
                {
                    webRequestEventArgs.WebRequestExecutor.RequestHeaders["Authorization"] =
                        "Bearer " + accessToken;
                };

If you set a breakpoint on that line of code and then step through a request from your app, you'll see that none of the token "setup" functions – i.e. those that create the ClientContext – actually result in an HTTP call.  It's only when you call the ExecuteQuery method on the ClientContext object that a request goes over the wire, and then the delegate fires and the token is added to the request.  So getting back to really the intent of Shariq's original question, while you CAN cache the access token you get in a high trust app, there's really not a good reason to do so (at least that I can think of so far), because it doesn't generate a call to SharePoint anyways.  Just for proving this out I wrote a little sample app where I played with setting the token lifetime for the user to 5 minutes, but I cached the access token for 1 year.  Sure enough, after 5 minutes had passed all of my app calls started failing with 401 – unauthorized errors, which is exactly what you would expect to see.  I've attached a zip file to this posting with that sample application.

Now…where caching app tokens DOES help is when you are using low trust apps.  In that case you absolutely do save one or more roundtrips to ACS to get an access token if you are caching them.  If you have lots of users and/or lots of requests this can really add up.  I won't bother going into the details of how to cache tokens for low trust apps here, because I've already posted about that in the series on app security.  For more details, see part 4 of that series at http://blogs.technet.com/b/speschka/archive/2013/07/30/security-in-sharepoint-apps-part-4.aspx.

Hopefully that explains the concepts in a little more detail and will be useful to you in your application security designs.  That was a great question Shariq, and thanks for responding to the twitter 'test.  Feel free to continue to pile your requests in there.

AppTokens.zip

Comments (5)

  1. Shariq-MSFT says:

    Perfect !! Thanks for the great explanation.

  2. alexandrad9x says:

    Tao http://dichvuketoanlongbien.com/
    Rủa
    http://dichvuketoanlongbien.com/a2-96-dich-vu-ke-toan-tron-goi.html
    Thằng http://dichvuketoanlongbien.com/a2-98-dich-vu-ke-toan-thue.html
    Cờ
    http://dichvuketoanlongbien.com/a2-103-dich-vu-bao-cao-tai-chinh.html
    http://dichvuketoanlongbien.com/a2-97-dich-vu-quyet-toan-thue.html
    Nào
    http://dichvuketoanlongbien.com/a2-114-dich-vu-ke-toan-tai-29-quan-huyen.html
    Soi
    http://dichvuketoanlongbien.com/i780-dich-vu-ke-toan-thue-tron-goi-tai-bac-ninh.html
    Tài
    http://dichvuketoanlongbien.com/i779-dich-vu-ke-toan-thue-tron-goi-tai-bac-giang.html
    Khoản
    http://dichvuketoanlongbien.com/i778-dich-vu-ke-toan-thue-tron-goi-tai-phu-tho.html

    http://dichvuketoanlongbien.com/i781-dich-vu-ke-toan-thue-tron-goi-tai-hung-yen.html
    Link
    http://dichvuketoanlongbien.com/i782-dich-vu-ke-toan-thue-tron-goi-tai-vinh-phuc.html
    Của
    http://dichvuketoanlongbien.com/i783-dich-vu-ke-toan-thue-tron-goi-tai-hai-phong.html
    Tao. http://www.trungtamketoan.com.vn/
    Chúng
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-ha-noi.html
    Mày
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-tp-hcm.html
    Đủ
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-quang-ninh.html
    Trình
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hai-duong.html
    Thì
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-bac-giang.html
    Tự
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-bac-ninh.html
    Đi
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hai-phong.html

    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-nam-dinh.html
    Làm.
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-thai-binh.html
    Việc
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-thanh-hoa.html

    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-vinh-phuc.html
    Phải
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hung-yen.html
    Rẻ
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-phu-tho.html
    Rách
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-binh-duong.html
    Như http://www.tosvn.com
    Thế. http://iketoan247.blogspot.com
    Loại http://tailieuveketoan.blogspot.com
    Chó http://mauhinhnendep.blogspot.com
    Má. http://www.tosvn.com/search/label/Hack%20CF
    Tao http://www.tosvn.com/search/label/Hack%20AvatarStar
    Rủa http://www.tosvn.com/search/label/Hack%20Warcraft-Dota2
    Những http://hocketoan360.com/category/tai-lieu-ke-toan/
    Thằng http://iketoan247.blogspot.com/search/label/thong-tin-kinh-te
    Soi http://iketoan247.blogspot.com/search/label/tin-bai-ve-thue
    Tao http://hoclamketoan.edu.vn/
    Sẽ http://hoclamketoan.edu.vn/category/khoa-hoc-ke-toan
    Tan http://hoclamketoan.edu.vn/category/dich-vu-ke-toan
    Cửa http://hoclamketoan.edu.vn/category/hoc-lam-ke-toan
    Nát http://hoclamketoan.edu.vn/category/tai-lieu-ke-toan
    Nhà http://hocketoan360.com/
    Haha http://hocketoan360.com/category/khoa-hoc-ke-toan/
    http://hocketoan360.com/category/dich-vu-ke-toan/

  3. Ed (DareDevil57) says:

    thanks for sharing.

  4. SD says:

    http://www.shopbestgoods.com/
    http://www.nike-jordanshoes.com/
    http://www.beatsbydreoutlet.net/
    http://www.michaelkorsus.com/
    http://www.polo-tshirts.com/
    http://www.northsclearance.com/
    http://www.ralph-laurensale.com/
    http://www.gucci-shoesuk2014.com/
    http://www.michael-korsusa.com/
    http://www.polo-outlets.com/
    http://www.ralphslauren.co.uk/
    http://www.marcjacobsonsale.com/
    http://www.mcmworldwides.com/
    http://www.salongchamppairs.com/
    http://www.canada-gooser.com/
    http://www.burberryoutlet2014.com/
    http://www.michaelkors.so/
    http://www.hermes-outletonline.com/
    http://www.oakley-sunglassoutlet.com/
    http://www.north-faceoutlets.net/
    http://www.moncler-clearance.com/
    http://www.woolrich-clearance.com/
    http://www.barbour-jacketsoutlet.com/
    http://www.moncler-jacketsoutletonline.com/
    http://www.monsterbeatsbydres.net/
    http://www.louis-vuittonblackfriday.com/
    http://www.lv-guccishoesfactory.com/
    http://www.mcmoutlet-jp.com/
    http://www.cheapdiscountoutlet.com/
    http://coachoutlet.iwopop.com/
    http://www.coachsfactoryoutlet.com/
    http://www.coach-blackfriday2014.com/
    http://www.coach-storeoutletonline.com/
    http://www.coach-factorysoutletonline.com/
    http://www.coachccoachoutlet.com/
    http://www.coach-factories.net/
    http://www.coach-pursesoutletonline.com/
    http://www.llouisvuitton-factory.net/
    http://www.coach-outletsusa.com/
    http://www.mksfactoryoutlet.com/
    http://www.zxcoachoutlet.com/
    http://www.mischristmas.com/
    http://www.misblackfriday.com/
    http://www.bestcustomsonline.com/
    http://www.newoutletonlinemall.com/
    http://www.clickmichaelkors.com/
    http://www.cmichaelkorsoutlet.com/
    http://www.ralphlaurenepolo.com/
    http://michaelkorsoutlet.mischristmas.com/
    http://mcmbackpack.mischristmas.com/
    http://monsterbeats.mischristmas.com/
    http://northfaceoutlet.mischristmas.com/
    http://mk.misblackfriday.com/
    http://coachoutlet.misblackfriday.com/
    http://coachfactory.misblackfriday.com/
    http://uggaustralia.misblackfriday.com/
    http://coachpurses.misblackfriday.com/
    http://coachusa.misblackfriday.com/
    http://coach.misblackfriday.com/
    http://michaelkorss.misblackfriday.com/
    http://michaelkors.misblackfriday.com/
    http://airmax.misblackfriday.com/
    http://michael-kors.misblackfriday.com/

    http://t.co/1PJuejI1ys
    http://t.co/FYm2MxWwLM
    https://twitter.com/CoachOutlet2014
    https://www.facebook.com/pages/Coach-Factory-Outlet-Online-Store-Michael-Kors-Outlet-Online-Sale-75-Off/712060898859091
    https://www.facebook.com/pages/Ralph-Lauren-Polo-Outlet-Online-Sale/1404100279810690