Access token expiry time is not getting applied on the JWT token

Selva · March 20, 2020, 12:54pm

Hi

I am having a problem with my access token expiry interval.
When I get an access token from Auth0, expiry time is set as the same time of the query. i.e. expiry duration settings configured in the API ‘Token Expiration (Seconds)’, ‘Token Expiration For Browser Flows (Seconds)’ are not getting applied in the token.

I tried to verify this with a sample SPA application from https://auth0.com/docs/quickstart/spa/react/02-calling-an-api?download=true
I see the same problem here. However the API token validation returns success, I guess this is because of the clock skew.

Auth0 provider has all the required options for getting the token.

<Auth0Provider
    domain={config.domain}
    client_id={config.clientId}
    audience={config.audience}
    redirect_uri={window.location.origin},
    responseType="token id_token"
    scope="openid name profile"
    onRedirectCallback={onRedirectCallback}
  >

Default ’ [Username-Password-Authentication]’ connection is used. All custom rules are disabled.

I am using getTokenSilently() method to get the access token upon successful sign-in before calling the API.

I also referred the thread Access_token too short ~ jwt malformed - #4 by priya.sharma.9362 and made sure my configuration are correct. I am not getting an Opaque token, it is a proper JWT token with all the required claims in it.

Appreciate any inputs on this. Thanks in advance.

Regards
Selva

mathiasconradt · March 20, 2020, 1:40pm

Can you post the excerpt of the decoded token payload, esp. the time related claims (remove anything sensitive).

Selva · March 20, 2020, 1:48pm

Hi @mathiasconradt

Thanks. Posting the response from test application itself. Just renamed the domain name in the token.

{
  "iss": "https://mydomain.auth0.com/",
  "sub": "auth0|5e74b67fb03a090c678bc96e",
  "aud": [
    "https://testapis.mydomain.com/",
    "https://mydomain.auth0.com/userinfo"
  ],
  "iat": 1584707257,
  "exp": 1584793657,
  "azp": "bebY2DsjuvaTDu3D5ZBTeRNOPOGiguiG",
  "scope": "openid profile email"
}

Request was made a second before the value in ‘exp’ (printed and confirmed that in the debug console).

Regards
Selva

mathiasconradt · March 20, 2020, 1:58pm

When I get an access token from Auth0, expiry time is set as the same time of the query.

The provided values show a token expiration of 1 day:

console.log(new Date(1584707257 * 1000));
console.log(new Date(1584793657 * 1000));

results in:

Fri Mar 20 2020 13:27:37 GMT+0100 (Central European Standard Time)
Sat Mar 21 2020 13:27:37 GMT+0100 (Central European Standard Time)

Maybe you just looked at the time but not the day/date? What value is set in the API settings for token expiration?

Selva · March 23, 2020, 3:44am

Apologies. You are right. I did check only the time and not the date. It shows the next day as the expiry duration is set to 86400 seconds. Thanks.

mathiasconradt · March 23, 2020, 7:36am

Good to hear everything’s working as expected

system · April 7, 2020, 7:36am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.