Auth0 Home Blog Docs

payload.getExpiresAt() returns incorrect Date object

jwt
auth0
#1

Hi, I set the expiration as 10 hours on the Auth0 dashboard.
However, whenever the Android app gets the Auth0 token, it always returns 24 hours token…
I checked payload.getExpiresIn() as well, and it returns 86399 (seconds maybe) which is almost 24 hours.

I’m having trouble due to this since the token expires after 10 hours but on the app, the token is still valid.
For now, I just subtract 14 hours in my codes, but I would like to know why it happens.

Thank you.

#2

@thqkdck3 I have a few follow up questions. What token are you check for expiration (access or id token)? Also, where in the dashboard did you configure the expiration setting?

#3

What token are you check for expiration (access or id token)?

I’m not sure what is the Credentials, but the payload is an instance of Credentials.

aClient.renewAuth(refreshToken)
.start(new BaseCallback<Credentials, AuthenticationException>() {
@Override
public void onSuccess(Credentials payload) {
Date expiration = payload.getExpiresAt();
}
}

where in the dashboard did you configure the expiration setting?

I set 36000 at HERE! below
‘Application’ Tab >> our App >> ‘Setting’ >> JWT Expiration (seconds) [HERE!]

#4

Ok, I think I see what is happening. when you set the expiration for the JWT you actually set the id_tokens expiration. When you use a refresh token the token response will give two tokens id_token and access_token. In OAuth 2 the access_token should be treated as an opaque token to the client. Meaning the client cannot inspect it. To help the client understand when the access_token expires it returns expires at in the token response.

In other words you’ve configured the id_token expiration not the access_token. when you call payload.getExpiresAt() you are looking the access_token expiration.

If you want to change the access_token expiration there are two JWT expiration fields on the API for which the access token is being issued. If you want to check the expiration of the id_token you will need to decode the token and check the exp claim.

#5

I’m actually having a similar issue where I’m setting the “Token Expirations (in seconds)” and the “Token Expiration For Browser Flows (Seconds)” on the dashboard to both be 10 seconds. However, when I call my
aClient.renewAuth(refreshToken)
.start(new BaseCallback<Credentials, AuthenticationException>() {
@Override
public void onSuccess(Credentials payload) {
LogsUtil.d(TAG, "expires in = " + payload.getExpiresIn ():
}
}

the log statement says 86400. And I’ve tried where I don’t renew my tokens and have the same access token yet I’m still able to successful hit my API despite the fact that I set the expiration to 10 seconds on my dashboard.

I’m pretty confused at this point. Any thoughts would be helpful!