Apple StoreKit 2 X5C certificate expired, jwt.io still verifies successfully

betaphi · September 24, 2023, 7:21am

Hello everybody,
today I noticed that some of my customer’s StoreKit 2 JWTs wouldn’t be verifiably on my server via a Swift JWT library.
However, when pasting the same JWT in jwt.io it would verify successfully. However, further investigation showed that the certificate that jwt.io displays in the “Verify Signature” section is in fact expired.

So the question is: Does jwt.io report false positive or is it in fact correct to not verify the certificate expiration date when validating JWT with X5C?

dan.woda · September 27, 2023, 12:55pm

Hi @betaphi,

Welcome to the Auth0 Community!

I would expect JWT.io to be correct and not indicate a valid token signature/certificate if it was expired.

Can you share some steps to reproduce?

system · October 26, 2023, 2:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Apple-signin-auth node js react native error: Invalid id token public key id (jwt.verify + ignoreExpiration option) JWT.io jwt , login	1	2640	March 24, 2022
Jwt token validation using ECC in .net JWT.io	4	4366	December 26, 2018
Token signature verify issue JWT.io	2	2260	March 14, 2022
Your certificate has expired! Help	3	2808	October 16, 2021
Wrong initialization and expiration date JWT.io jwt	1	1520	February 22, 2023

Apple StoreKit 2 X5C certificate expired, jwt.io still verifies successfully

Related topics