Sample code: exp claim should be in seconds, not milliseconds

Question

Sample code: exp claim should be in seconds, not milliseconds

harriha opened this issue 10 years ago · 4 comments

Hi,

As it seems, the JWT spec defines the exp to be in seconds since the epoch. However, the sample code in the README (https://github.com/docdis/learn-json-web-tokens#helper-methods) sets it in ms, leading to incorrect implementation if one follows that sample blindly (ahem, been there done that).

Might not hurt to mention this little gotcha explicitly in the section What are "claims".

Answer 1 · 2015-06-17T12:45:01.000Z

Hi @harriah

I can't find the section the spec that states that exp should be in seconds (not milliseconds) https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.4

Fairly certain you're right though...
Can you please paste the link?

Thanks!

Answer 2 · 2015-06-17T12:53:31.000Z

Hi,

Took a moment to double-check this myself, but the specs states that the exp needs to be of NumericDate type, which is defined in the same spec in the Terminology section, see https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#page-6 . Also, one can see from the node-jsonwebtoken implementation that the incoming value is handled in seconds.

Answer 3 · 2015-06-17T20:22:35.000Z

Well spotted in the node-jsonwebtoken implementation!
Do you have time to submit a PR with the required change?

Answer 4 · 2015-06-17T20:37:57.000Z

Hi,

Sure, let me see what I can do. A bit awkward timing for me, but will aim to get this done by the early next week. In case you or someone else wants to get this fixed earlier, feel free to grab the task, otherwise I'll submit a PR soonish.