Auth0 Home Blog Docs

payload.getExpiresAt() returns incorrect Date object

jwt
auth0

#1

Hi, I set the expiration as 10 hours on the Auth0 dashboard.
However, whenever the Android app gets the Auth0 token, it always returns 24 hours token…
I checked payload.getExpiresIn() as well, and it returns 86399 (seconds maybe) which is almost 24 hours.

I’m having trouble due to this since the token expires after 10 hours but on the app, the token is still valid.
For now, I just subtract 14 hours in my codes, but I would like to know why it happens.

Thank you.


#2

@thqkdck3 I have a few follow up questions. What token are you check for expiration (access or id token)? Also, where in the dashboard did you configure the expiration setting?


#3

What token are you check for expiration (access or id token)?

I’m not sure what is the Credentials, but the payload is an instance of Credentials.

aClient.renewAuth(refreshToken)
.start(new BaseCallback<Credentials, AuthenticationException>() {
@Override
public void onSuccess(Credentials payload) {
Date expiration = payload.getExpiresAt();
}
}

where in the dashboard did you configure the expiration setting?

I set 36000 at HERE! below
‘Application’ Tab >> our App >> ‘Setting’ >> JWT Expiration (seconds) [HERE!]


#4

Ok, I think I see what is happening. when you set the expiration for the JWT you actually set the id_tokens expiration. When you use a refresh token the token response will give two tokens id_token and access_token. In OAuth 2 the access_token should be treated as an opaque token to the client. Meaning the client cannot inspect it. To help the client understand when the access_token expires it returns expires at in the token response.

In other words you’ve configured the id_token expiration not the access_token. when you call payload.getExpiresAt() you are looking the access_token expiration.

If you want to change the access_token expiration there are two JWT expiration fields on the API for which the access token is being issued. If you want to check the expiration of the id_token you will need to decode the token and check the exp claim.