Using decodeJWT function, expired JWT Token still being processed

[tokidoki11]

SDK Version

6.4

PHP Version

PHP 7.4

Composer Version

1.x

What happened?

I have a Laravel service which run access token check via decoding the token

private function handleAccessToken($accessToken, $request, $clientConfig) {
        // Check token present in request header
        if (empty($accessToken)) {
            throw Error::Unauthorized('Unauthorized User.');
        }

        $auth0 = new Auth0Service($clientConfig);

        // Auth0 Token Validation
        try {
            // Get decoded JWT token from header
            $tokenInfo = $auth0->decodeJWT($accessToken);

///// DO things based on token info from here

When the token is expired I notice that an error will be thrown such as Auth Token Decode Error: Expiration Time (exp) claim error in the ID token; current time (1655789561) is after expiration time (1655789350) [] []

But even the token is expired (after some time), the error is not thrown. I noticed that the expiration time on the message is different than the one in exp field in decoded JWT Token

Decoded via: https://jwt.io/

and the difference is not uniform from 5 seconds to more than a minute

I tried the same token a second after the expired time in the decoded JWT to GET /userinfo it correctly sent 401

How can we reproduce this issue?

I currently set my auth0 access token expiry to be 60 seconds

1. Create the token
2. after more than a minute, hit the API that run decodeToken

Additional context

No response

[evansims]

Hi @tokidoki11 👋 Thanks for your report.

Can you clarify what you mean by:

When the token is expired I notice that an error will be thrown such as Auth Token Decode Error: Expiration Time (exp) claim error in the ID token; current time (1655789561) is after expiration time (1655789350) [] []

But even the token is expired (after some time), the error is not thrown.

• Do you mean you expect an error to be thrown, but one isn't? Does any amount of time differential cause the error be thrown for you, or does it never appear?
• Can you please run composer show -i within your project and provide the output here

[tokidoki11]

Hi @evansims Thanks for responding

Do you mean you expect an error to be thrown, but one isn't? Does any amount of time differential cause the error be thrown for you, or does it never appear?

Yes I expect the error to be thrown when the expiration time exceed the time in JWT Token. Currently it will throw error unspecified time after the expiration in JWT

for example in JWT the exp is 1655789290 but it will throw error after 1655789350 (60 sec difference but it varies based on unknown pattern)

Message when error thrown: Auth Token Decode Error: Expiration Time (exp) claim error in the ID token; current time (1655789561) is after expiration time (1655789350)

Can you please run composer show -i within your project and provide the output here

auth0/auth0-php                           7.9.2     Auth0 PHP SDK.
auth0/login                               6.4.0     Laravel plugin that hel...
auth0/php-jwt                             3.3.4     A simple library to wor...
barryvdh/laravel-ide-helper               v2.8.2    Laravel IDE Helper, gen...
barryvdh/reflection-docblock              v2.0.6   
composer/ca-bundle                        1.3.1     Lets you find a path to...
composer/composer                         2.2.12    Composer helps you decl...
composer/metadata-minifier                1.0.0     Small utility library t...
composer/pcre                             1.0.1     PCRE wrapping library t...
composer/semver                           3.3.2     Semver library that off...
composer/spdx-licenses                    1.5.6     SPDX licenses list and ...
composer/xdebug-handler                   3.0.3     Restarts a process with...
defuse/php-encryption                     v2.3.1    Secure PHP Encryption L...
doctrine/cache                            2.1.1     PHP Doctrine Cache libr...
doctrine/dbal                             2.13.4    Powerful PHP database a...
doctrine/deprecations                     v0.5.3    A small layer on top of...
doctrine/event-manager                    1.1.1     The Doctrine Event Mana...
doctrine/inflector                        2.0.4     PHP Doctrine Inflector ...
doctrine/instantiator                     1.4.0     A small, lightweight ut...
doctrine/lexer                            1.2.1     PHP Doctrine Lexer pars...
dragonmantank/cron-expression             v2.3.1    CRON for PHP: Calculate...
egulias/email-validator                   2.1.25    A library for validatin...
facade/flare-client-php                   1.9.1     Send PHP errors to Flare
facade/ignition                           1.18.0    A beautiful error page ...
facade/ignition-contracts                 1.0.2     Solution contracts for ...
fakerphp/faker                            v1.16.0   Faker is a PHP library ...
fideloper/proxy                           4.4.1     Set trusted proxies for...
filp/whoops                               2.14.4    php error handling for ...
firebase/php-jwt                          v5.4.0    A simple library to enc...
geo-io/interface                          v1.0.1    Geo I/O base interfaces.
geo-io/wkb-parser                         v1.0.1    Well-known binary (WKB)...
goodby/csv                                1.3.0     CSV import/export library
grimzy/laravel-mysql-spatial              2.2.3     MySQL spatial data type...
guzzlehttp/guzzle                         6.5.7     Guzzle is a PHP HTTP cl...
guzzlehttp/promises                       1.5.1     Guzzle promises library
guzzlehttp/psr7                           1.8.5     PSR-7 message implement...
hamcrest/hamcrest-php                     v2.0.1    This is the PHP port of...
itsgoingd/clockwork                       v4.1.8    php dev tools integrate...
jmikola/geojson                           1.0.2     GeoJSON implementation ...
justinrainbow/json-schema                 5.2.12    A library to validate a...
kyslik/column-sortable                    6.4.1     Package for handling co...
laminas/laminas-diactoros                 2.8.0     PSR HTTP Message implem...
laravel/framework                         v6.20.42  The Laravel Framework.
laravel/passport                          v9.2.1    Laravel Passport provid...
laravel/tinker                            v2.6.2    Powerful REPL for the L...
lcobucci/clock                            2.0.0     Yet another clock abstr...
lcobucci/jwt                              4.1.5     A simple library to wor...
league/commonmark                         1.6.6     Highly-extensible PHP M...
league/event                              2.2.0     Event package
league/flysystem                          1.1.8     Filesystem abstraction:...
league/mime-type-detection                1.9.0     Mime-type detection for...
league/oauth2-server                      8.3.2     A lightweight and power...
microsoft/azure-storage-blob              1.5.3     This project provides a...
microsoft/azure-storage-common            1.5.2     This project provides a...
microsoft/azure-storage-queue             1.3.4     This project provides a...
microsoft/azure-storage-table             1.1.5     This project provides a...
mockery/mockery                           1.4.4     Mockery is a simple yet...
monolog/monolog                           2.3.5     Sends your logs to file...
myclabs/deep-copy                         1.10.2    Create deep copies (clo...
nesbot/carbon                             2.55.2    An API extension for Da...
nikic/php-parser                          v4.13.0   A PHP parser written in...
nunomaduro/collision                      v3.2.0    Cli error handling for ...
nunomaduro/larastan                       v0.7.12   Larastan - Discover bug...
nyholm/psr7                               1.4.1     A fast PHP7 implementat...
opis/closure                              3.6.2     A library that can be u...
paragonie/random_compat                   v9.99.100 PHP 5.x polyfill for ra...
phar-io/manifest                          2.0.3     Component for reading p...
phar-io/version                           3.1.0     Library for handling ve...
php-http/message-factory                  v1.0.2    Factory interfaces for ...
php-parallel-lint/php-console-color       v0.3     
php-parallel-lint/php-console-highlighter v0.5      Highlight PHP code in t...
phpdocumentor/reflection-common           2.2.0     Common reflection class...
phpdocumentor/reflection-docblock         5.3.0     With this component, a ...
phpdocumentor/type-resolver               1.5.1     A PSR-5 based resolver ...
phpoption/phpoption                       1.8.1     Option Type for PHP
phpseclib/phpseclib                       2.0.33    PHP Secure Communicatio...
phpspec/prophecy                          1.14.0    Highly opinionated mock...
phpstan/phpstan                           0.12.99   PHPStan - PHP Static An...
phpunit/php-code-coverage                 9.2.7     Library that provides c...
phpunit/php-file-iterator                 3.0.5     FilterIterator implemen...
phpunit/php-invoker                       3.1.1     Invoke callables with a...
phpunit/php-text-template                 2.0.4     Simple template engine.
phpunit/php-timer                         5.0.3     Utility class for timing
phpunit/phpunit                           9.5.10    The PHP Unit Testing fr...
psr/container                             1.1.2     Common Container Interf...
psr/http-factory                          1.0.1     Common interfaces for P...
psr/http-message                          1.0.1     Common interface for HT...
psr/log                                   1.1.4     Common interface for lo...
psr/simple-cache                          1.0.1     Common interfaces for s...
psy/psysh                                 v0.10.8   An interactive shell fo...
ralouphie/getallheaders                   3.0.3     A polyfill for getallhe...
ramsey/uuid                               3.9.6     Formerly rhumsaa/uuid. ...
react/promise                             v2.9.0    A lightweight implement...
scrivo/highlight.php                      v9.18.1.7 Server side syntax high...
sebastian/cli-parser                      1.0.1     Library for parsing CLI...
sebastian/code-unit                       1.0.8     Collection of value obj...
sebastian/code-unit-reverse-lookup        2.0.3     Looks up which function...
sebastian/comparator                      4.0.6     Provides the functional...
sebastian/complexity                      2.0.2     Library for calculating...
sebastian/diff                            4.0.4     Diff implementation
sebastian/environment                     5.1.3     Provides functionality ...
sebastian/exporter                        4.0.3     Provides the functional...
sebastian/global-state                    5.0.3     Snapshotting of global ...
sebastian/lines-of-code                   1.0.3     Library for counting th...
sebastian/object-enumerator               4.0.4     Traverses array structu...
sebastian/object-reflector                2.0.4     Allows reflection of ob...
sebastian/recursion-context               4.0.4     Provides functionality ...
sebastian/resource-operations             3.0.3     Provides a list of PHP ...
sebastian/type                            2.3.4     Collection of value obj...
sebastian/version                         3.0.2     Library that helps with...
seld/jsonlint                             1.9.0     JSON Linter
seld/phar-utils                           1.2.0     PHAR file format utilit...
swiftmailer/swiftmailer                   v6.3.0    Swiftmailer, free featu...
symfony/console                           v4.4.40   Eases the creation of b...
symfony/css-selector                      v5.4.0    Converts CSS selectors ...
symfony/debug                             v4.4.37   Provides tools to ease ...
symfony/deprecation-contracts             v2.5.1    A generic function and ...
symfony/error-handler                     v4.4.34   Provides tools to manag...
symfony/event-dispatcher                  v4.4.34   Provides tools that all...
symfony/event-dispatcher-contracts        v1.1.12   Generic abstractions re...
symfony/filesystem                        v5.4.7    Provides basic utilitie...
symfony/finder                            v4.4.37   Finds files and directo...
symfony/http-client-contracts             v2.5.1    Generic abstractions re...
symfony/http-foundation                   v4.4.34   Defines an object-orien...
symfony/http-kernel                       v4.4.35   Provides a structured p...
symfony/mime                              v5.4.0    Allows manipulating MIM...
symfony/polyfill-ctype                    v1.25.0   Symfony polyfill for ct...
symfony/polyfill-iconv                    v1.23.0   Symfony polyfill for th...
symfony/polyfill-intl-idn                 v1.26.0   Symfony polyfill for in...
symfony/polyfill-intl-normalizer          v1.26.0   Symfony polyfill for in...
symfony/polyfill-mbstring                 v1.26.0   Symfony polyfill for th...
symfony/polyfill-php72                    v1.26.0   Symfony polyfill backpo...
symfony/polyfill-php73                    v1.25.0   Symfony polyfill backpo...
symfony/polyfill-php80                    v1.25.0   Symfony polyfill backpo...
symfony/process                           v4.4.40   Executes commands in su...
symfony/psr-http-message-bridge           v2.1.1    PSR HTTP message bridge
symfony/routing                           v4.4.34   Maps an HTTP request to...
symfony/service-contracts                 v2.5.1    Generic abstractions re...
symfony/translation                       v4.4.34   Provides tools to inter...
symfony/translation-contracts             v2.5.1    Generic abstractions re...
symfony/var-dumper                        v4.4.34   Provides mechanisms for...
theseer/tokenizer                         1.2.1     A small library for con...
tijsverkoyen/css-to-inline-styles         2.2.4     CssToInlineStyles is a ...
vlucas/phpdotenv                          v3.6.9    Loads environment varia...
webmozart/assert                          1.10.0    Assertions to validate ...

[tokidoki11]

I just noticed leeway should change this instead i think

        $expireTime = $tokenExp + $leeway;
        if ($now > $expireTime) {
            throw new InvalidTokenException( sprintf(
                'Expiration Time (exp) claim error in the ID token; current time (%d) is after expiration time (%d)',
                $now,
                $expireTime
            ) );
        }

One think that i dont understand that leeway when unspecified, differs from time to time It should be 60 seconds by default. Maybe this should be reported to auth0-php instead 🤔

https://auth0.github.io/auth0-PHP/classes/Auth0-SDK-Auth0.html

[evansims]

Hey @tokidoki11 👋 Thanks for the additional details.

Yes, time differential allowances are handled by using the Leeway configuration, we enable this by default to allow for clock drift between machines. This allowance is 60 seconds by default in Auth0-PHP v7 / Laravel-Auth0 v6. This would explain the behavior you're seeing, and it's intentional. The allowance doesn't vary, unless it's configured manually to do so.

(It's important to note the API spec you linked is for Auth0-PHP v8 / Laravel-Auth0 v7, both of which were near rewrites of those SDKS, and would not be applicable for your circumstances. I don't want you to be confused by what you read there not matching your results.)

[tokidoki11]

I configure the leeway and there is no changes between

I'm closing this

Thank you @evansims