Uses of Property "expires_at" in Identity Server Authentication Response Object

Question

Question / Issue

I would like to know the actual purpose of the "expires_at" property once I logged in successfully then the Identity Server returns the following Response JSON

{
  "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo0NDMwMCIsImF1ZCI6ImpzIiwiZXhwIjoxNTAyNDI4MjQyLCJuYmYiOjE1MDI0Mjc5NDIsIm5vbmNlIjoiYWU0MTZlZjQwNDc4NDkwNmI5NTg3MDkxY2I0ODhjZjUiLCJpYXQiOjE1MDI0Mjc5NDIsImF0X2hhc2giOiJIWEhKWl9LdkdfcnVwMXZQY1lKYWRnIiwic2lkIjoiNjY0M2Y0NjlkMGY3YzgxZWQ3MDFhZmQ5MmYzYzFiMDYiLCJzdWIiOiIxIiwiYXV0aF90aW1lIjoxNTAyNDI3NDYxLCJpZHAiOiJpZHNydiIsImFtciI6WyJwYXNzd29yZCJdfQ.ai98BnTEqWQDBT9BPMJmft-KVgC9nLR2fQCpWW95E-CqyW0vrVtgXTh-ExDAXcQGrl2CzEf0a-7B2SnfAJ9qwSFmn4T--bZMKnoN2YnsHdbad9rhCGOvKEDI0NCfTlDYFQ03ZUdZVW27hYJO6Bbt8FeJPBIv3Ko7MV40gqDGojZ74twO_YZOIzJNJGDmIysquD_hRGU75xTz41MBuMob3FMzmLegIOYqUDFz6A8VrFEL3j1Cgo67sp7IP4RQ9uJj56kU8DI4mZR6YCFp3QdLtYqQPVO6zkO1OhpeDVyZNffC1PbFDsJ5lhPRicZ5MZo-m8eMVSNis6X5fWhuuC9kAg",
  "session_state": "0JCstb_hlFJAAw30DwbPoV6mDvg01QRbZ-H4N2TyFcY.03e0a811c45d02838f745a3b369ecabc",
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo0NDMwMCIsImF1ZCI6Imh0dHBzOi8vbG9jYWxob3N0OjQ0MzAwL3Jlc291cmNlcyIsImV4cCI6MTUwMjQyODAwMiwibmJmIjoxNTAyNDI3OTQyLCJjbGllbnRfaWQiOiJqcyIsInNjb3BlIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJlbWFpbCIsImFwaSJdLCJzdWIiOiIxIiwiYXV0aF90aW1lIjoxNTAyNDI3NDYxLCJpZHAiOiJpZHNydiIsImFtciI6WyJwYXNzd29yZCJdfQ.A6Dj10rBKN2CIo1wLfj_stuNXq-QH66sfdhuQiqqMGXcTQ88VnWcgCo13_br8_-gBb0fTGkdHRHZAP5oHbYtiJA9AAMO7Z8R_JsrVdYSaK9SXpRMuKdEhYTK1BQjVPsU04hHJAIEPQZ0i8MKE3FOsyoDEMOfXdVR8oY9vqEpN5X1AYQ4ia_aB_cHPzOUYccr1B5nn4VWl47D-BW6bf4v60P0wHx1uSYeTN_N3J9nbgEXqvLY6ED978jFRvFz7zllHWkIZSxM91Mu-uyIKa6-MRNuYvbtejdNtDzPpUjWDnAsYhL-AyxKaqq1prACkCxESpPXUggl2jMH8hWbl8lX4w",
  "token_type": "Bearer",
  "scope": "openid profile email api",
  "profile": {
    "sid": "6643f469d0f7c81ed701afd92f3c1b06",
    "sub": "1",
    "auth_time": 1502427461,
    "idp": "idsrv",
    "amr": [
      "password"
    ],
    "given_name": "Bob",
    "family_name": "Smith",
    "email": "[email protected]"
  },
  "expires_at": 1502428003
}

I would like to know the purpose of "expires_at": 1502428003, and let me know the format of this property whether it's returning Ticks / Milliseconds / Seconds / ???

Is there any relationship between this property "expires_at": 1502428003 with Silent Renew new Oidc.UserManager().signinSilentCallback(); ???

Answer 1

I came across this question trying to find out what format is used for auth_time and expires_at.

Finally, I found the answer in the openid conect spec and thought I should add it here since this question has never been answered.

Both auth_time and expires_at are datetime values expressed as the number of seconds since 1970-01-01T00:00:00Z

What purpose they are for, I suppose, is to use it in the client app depending on your needs, but you might need to convert it to a more useful datetime format. Maybe you have rules about how old a token is allowed, maybe you want to check how soon the token expires.

In my project, I have a C# class that has been deserialized from a json token, and I capture the expires_at as an integer then add it to the date above as seconds to get the C# datetime for expiration of the token.

public int Expires_At { get; set; } = 0;

public DateTime GetExpirationTime()
{
    var jan1970 = Convert.ToDateTime("1970-01-01T00:00:00Z");
    return jan1970.AddSeconds(Expires_At);

}

For example, a value of 1537481262 for Expires_At results in 2018-09-20T22:07:42 when added as seconds to jan1970.