Closed taisuke-fujimoto closed 1 year ago
Hey @taisuke-fujimoto, thanks for the issue and test case. Yes, the specification states that the exp
must be before the current time, so it looks like there is an off-by-1 second here.
The problem is in the assertInstantIsFuture method.
The specification states: The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.
That means:
The method assertInstantIsFuture checks for a valid token with:
The correct way should be:
Describe the problem
I tried with the code below, but no exception occurred. (TokenExpiredException occurs when
Clock
is +1 second) This means that token lifetime isNOW <= "exp"
Shouldn't the token lifetime be
NOW < "exp"
?I think this description is correct. https://github.com/auth0/java-jwt/blob/master/EXAMPLES.md#datetime-claim-validation
Environment