Shouldn't JWT notBefore/expiration times be tested against the issuer time?

I can’t find any documentation about that.

I assume clients and servers, or multiple servers, are not always synchronized between them (and I’ve seen that happen).
So if an application tries to validate a JWT from another server, but using its own time, it may find that JWT to always be invalid, even if it’s currently valid. So I would think that the expiration time should be checked using the issuer’s time.

Am I overthinking this issue? Also are there any security risks at not using the issuer’s time?

Seems like time is based on UTC and not the time of the issuer. Check this out What is the timezone / jwt expiration that is being passed into the token? · Issue #89 · mattupstate/flask-jwt · GitHub

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.