Shouldn't JWT notBefore/expiration times be tested against the issuer time?

volune · January 26, 2018, 2:53pm

I can’t find any documentation about that.

I assume clients and servers, or multiple servers, are not always synchronized between them (and I’ve seen that happen).
So if an application tries to validate a JWT from another server, but using its own time, it may find that JWT to always be invalid, even if it’s currently valid. So I would think that the expiration time should be checked using the issuer’s time.

Am I overthinking this issue? Also are there any security risks at not using the issuer’s time?

achow · March 6, 2018, 4:02am

Seems like time is based on UTC and not the time of the issuer. Check this out What is the timezone / jwt expiration that is being passed into the token? · Issue #89 · mattupstate/flask-jwt · GitHub

system · March 16, 2018, 6:15pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Expiration time not being checked if exp field does not exist Help sessions	1	675	January 2, 2024
JWT token with invalid 'exp' time does not give exception. Help java , jwt-validation , expiration , jjwt	3	5622	March 2, 2018
Expiration Time (exp) claim error in the ID token Help jwt , login	2	8592	July 1, 2021
Error with Token Expiry Time JWT.io	2	4696	July 25, 2019
Question about token expiry Help login-experience , new-universal-login-experience	2	748	May 26, 2023

Shouldn't JWT notBefore/expiration times be tested against the issuer time?

Related topics