frasertweedale
commented
8 months ago Thanks for reporting.
It is a security decision of hs-jose to prohibit any access to JWS payload except via verification. That said, you have described a legitimate use case for access to unverified payload data.
As of current releases, the best you can do is parse the token yourself and extract the raw payload byte, then decode using instance FromJSON ClaimsSet and access the expiration time field. So, hs-jose helps a little, but you still have some manual work.
I will contemplate adding an "unsafe get payload" capability to the library, to support this (and similar) use cases.
endgame
I am trying to use a web service provided by a third party. It has an authentication endpoint that expects HTTP Basic Authentication and upon successful authentication returns a JWT. This JWT can then be passed alongside requests to the other endpoints of the service in order to authorize access.
This JWT is valid for an hour and I would like to reuse it across multiple requests and only refresh/reacquire it once it has expired. In order to do this, I would like to read the expiration time of the JWT using
jose. However, the documentation forverifyJWTsays:This sounds to me like in order to get the expiration time, I would have to fully verify the JWT. However, I cannot do so since I do not have the JWK. In this scenario, I am just passing the JWT from one endpoint to another, being neither the issuer of the token, nor the party interested in verifying it. So I think in this situation I am neither expected/required nor able to fully verify the JWT.
What should I do in this case?