JWT tokens - not checking the expiration timestamp?

Question

JWT tokens - not checking the expiration timestamp?

jumarko opened this issue 2 years ago · 3 comments

I'm not 100% sure if my analysis is correct but it seems that the code in the book isn't checking the exp jwt field to make sure the JWT hasn't expired.
In SignedJwtTokenStore#create there's only signature verification and audience check.
I do not see any explicit expiration time check nor in the code neither in the Nimbus library.

After looking around, I found this class that could do such a check: https://www.javadoc.io/doc/com.nimbusds/nimbus-jose-jwt/latest/com/nimbusds/jwt/proc/DefaultJWTClaimsVerifier.html

I implemented it like this: https://github.com/jumarko/api-security-in-action/pull/24/files

Am I missing something? Is this check implicit (somewhere in the library) or is there a rationale for not doing it?

Answer 1 · 2023-02-28T18:55:50.000Z

@NeilMadden any thoughts about this one?

Answer 2 · 2023-03-04T20:42:18.000Z

The exp field from the JWT is copied to the expiry field in the Token object, which is then checked in generic code that is shared between all TokenStore implementations: https://github.com/NeilMadden/apisecurityinaction/blob/chapter06-end/natter-api/src/main/java/com/manning/apisecurityinaction/controller/TokenController.java#L41

Answer 3 · 2023-03-06T05:42:08.000Z

I see, thanks!