Id_token expiration check

Please include the following information in your post:

  • Which SDK this is regarding: express-openid-connect
  • SDK Version: e.g. 2.5.2
  • Platform Version: e.g. Node 14.18.1

I have a pretty simple node app protected by Okta which basically uses the default options to auth(). After logging in, when making a request to a route protected with requiresAuth it appears as though the default implementation merely calls isAuthenticated which only checks for the existence of an id_token.

Dumb question, shouldn’t it also check if the token is expired? Or is this something that I’m expected to do myself?

Hi there @taschmidt, welcome to the Auth0 Community!

This is a great question - I was able to do a little research on this but the specific behavior is still a bit confusing to me as well. It looks like in some SDKs we do check the exp of the ID token whereas in some we don’t. It seems to be a lack of parity on our end, but there’s also a general sentiment that we shouldn’t care about the expiration anyways. Basically once the client receives the ID token (generally immediately after the user authenticates), validates the token and gets/saves the users information the token is no longer useful.

There’s some internal discussion on parity, but this is about all I have for now. I’m not entirely sure this answers your question, but hopefully the information is somewhat useful!

1 Like

Thanks for the response! I guess I’m a little confused as to why this wouldn’t be necessary. Just like checking SSL cert expirations, doesn’t the recipient of the token have a responsibility to reject expired tokens and force a reauth?

In any event, if anyone else is curious, here’s my implementation to check the token expiration:

requiresAuth((req) => {
    if (!req.oidc.isAuthenticated()) return true;
    const expiration = req.oidc.idTokenClaims.exp;
    const now = Math.floor( / 1000);
    const expiresIn = expiration - now;
    debug('auth')('checkAuth', { expiration, now, expiresIn });
    return expiresIn < 0;

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.