All JWT tokens must have an expiry time.
If we remove the exp field(for our tests or any other hack), the JWT token validation passes.
Shouldn’t we have an option like the one created by Go in their new library, which enforces a check on the expiration time, as having no exp in the token doesn’t make sense.
What is your take on this?
Hi @ayush.parwal,
Welcome to the Auth0 Community!
Firstly, JWT tokens are immutable and the exp
claim is part of the JWT reserved claims that are not required, but are recommended to allow operability with third-party-apps. (Reference: JSON Web Token Claims)
Is there a reason why you have decided to remove the exp
claim? In general, you should keep the exp
claim.
Additionally, could you confirm if you removed the exp
claim after the JWT has been signed and issued?
Thanks,
Rueben