Expired token not throwing TokenExpiredException

Question

Expired token not throwing TokenExpiredException

BernieJ opened this issue a year ago · 7 comments

I am expecting an TokenExpiredException to be thrown on decoding an jwt token. Using package JWT v 10.1.1

Code generating the token

public string CreateJWT(Type claims)
{
  var payload = new Dictionary<string, object>
  {
  ....
  { "exp", DateTimeOffset.UtcNow.Add(TokenExpiry).ToUnixTimeSeconds() }
  };

  IJwtAlgorithm algorithm = new HMACSHA256Algorithm();
  IJsonSerializer serializer = new JsonNetSerializer();
  IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
  IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder);
  string key = string.Empty; // cant encode without a key

  var token = encoder.Encode(payload, key);
  return token;
}

Test code

 [Test]
 public void TestExpiredToken()
 {
   var expiry = new TimeSpan(0, 0, -10, 0);
   var tokenManager = new TokenManagement(expiry);
   var token = tokenManager.CreateJWT(response);

   Assert.Throws<TokenExpiredException>(() =>
   {
     IJsonSerializer serializer = new JsonNetSerializer();
     IDateTimeProvider provider = new UtcDateTimeProvider();

     IJwtValidator validator = new JwtValidator(serializer, provider);
     IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
     IJwtAlgorithm algorithm = new HMACSHA256Algorithm();
     IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm);

    //can't decode without string.Empty as the key otherwise NullReference error gets thrown
     var decodedClaims = decoder.DecodeToObject<IDictionary<string, object>>(token, string.Empty, false);

    //if check needed to throw TokenExpiredException
    // if (DateTimeOffset.FromUnixTimeSeconds((long)decodedClaims["exp"]) < DateTime.UtcNow)
    // {
   //   throw new TokenExpiredException("Token Expired");
    // }
   });
 }

Answer 1 · 2023-12-12T16:38:33.000Z

What's the version of JWT you're using?

And what's the name of the 3rd parameter of DecodeToObject() which you're passing as false?

Answer 2 · 2023-12-12T16:40:33.000Z

For the NullReferenceException, can you please open a separate issue? But first, make sure you're using the latest version.

Answer 3 · 2023-12-13T06:21:08.000Z

What's the version of JWT you're using?

And what's the name of the 3rd parameter of DecodeToObject() which you're passing as false?

I am using version 10.1.1.

The third parameter ( false value) is to verify the signature

Answer 4 · 2023-12-13T07:12:29.000Z

Right, it's the one which controls whether to perform the validation of a token, and you set it to false.

Setting it to true should do what you expect the library to do.

Answer 5 · 2023-12-13T08:25:19.000Z

Okay, I thought the verify signature did not include verifying the expiry of the token. Unfortunatly I am still stuck if I change the verify to true. I get an error ArgumentOutOFRangeException. My guess is cause my key I am sending is string.empty but as I mentioned in this issue I need to pass in a key otherwise I get a null reference error

Answer 6 · 2023-12-13T16:38:12.000Z

What algorithm are you using? The exception stack trace hint that a symmetric, e.g. HMAC SHA256.

Then you must provide a key, that's how the JWT (the protocol) works, the JWT (the library) won't be able to calculate and then validate the signature.

Or you don't care shoot the signature and want to validate only the expiration time? Check out some publicly available APIs on JwtValidator, those may help you.

Answer 7 · 2023-12-14T08:18:58.000Z

Thanks for your assistence! I can confirm that after adding a key it works