Since access tokens are not always jwts it was incorrect to parse them and check the exp claim. Id tokens and refresh tokens are still parsed as jwts and exp is checked (however if refresh tokens are not valid jwts – which they do not have to be – this will not throw an, but the token will be treated as not expired on the client side.
Fix of problem described in #179
Since access tokens are not always jwts it was incorrect to parse them and check the exp claim. Id tokens and refresh tokens are still parsed as jwts and exp is checked (however if refresh tokens are not valid jwts – which they do not have to be – this will not throw an, but the token will be treated as not expired on the client side.