Auth0 Home Blog Docs

Shouldn't JWT notBefore/expiration times be tested against the issuer time?

jwt
jwt-validation
expiration
time

#1

I can’t find any documentation about that.

I assume clients and servers, or multiple servers, are not always synchronized between them (and I’ve seen that happen).
So if an application tries to validate a JWT from another server, but using its own time, it may find that JWT to always be invalid, even if it’s currently valid. So I would think that the expiration time should be checked using the issuer’s time.

Am I overthinking this issue? Also are there any security risks at not using the issuer’s time?


#2

Seems like time is based on UTC and not the time of the issuer. Check this out https://github.com/mattupstate/flask-jwt/issues/89


#3

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.