Open Jojo-IO opened 3 years ago
It was a misconfiguration of the token. iss and exp was in the header instead of the payload. But I'm not sure a token should be accepted as valid when AuthJWTIss / AuthJWTExpDelay is set, but iss / exp is missing.
The AuthJWTExpDelay and AuthJWTIss are only used to issue tokens.
However, it is a good point. If there is a configured issuer and expiration delay, it's important to validate them afterwards. I will have a look on the code to check this behavior.
Any pull request is welcome.
Anthony
Hello,
Any news on this ?
Do you plan to work on ?
Thank's you in advance
Installing the newest version from source and using e.g. the minimal configuration from the readme, the module accepts just any value given as AuthJWTIss and does not mind the expiration time. Access is only denied if the token is completely wrong.