Expiration time not being checked if exp field does not exist

rueben.tiow · January 2, 2024, 9:53pm

Welcome to the Auth0 Community!

Firstly, JWT tokens are immutable and the exp claim is part of the JWT reserved claims that are not required, but are recommended to allow operability with third-party-apps. (Reference: JSON Web Token Claims)

Is there a reason why you have decided to remove the exp claim? In general, you should keep the exp claim.

Additionally, could you confirm if you removed the exp claim after the JWT has been signed and issued?

Thanks,
Rueben

Topic		Replies	Views
Question about token expiry Get Help login-experience , new-universal-login-experience	2	766	May 26, 2023
JWT token with invalid 'exp' time does not give exception. Get Help java , jwt-validation , expiration , jjwt	3	5754	March 2, 2018
Shouldn't JWT notBefore/expiration times be tested against the issuer time? JWT.io jwt , jwt-validation , expiration , time	2	4753	March 16, 2018
Id token expires_in different from JWT exp Get Help	6	6147	September 3, 2019
Expiration Time (exp) claim error in the ID token Get Help jwt , login	2	9088	July 1, 2021

Expiration time not being checked if exp field does not exist

Related topics