yokomizor
commented
5 years ago Hey @ThomasChiroux, Thank you for your feedback.
JWT exp, iat and nbf should be verified by jose_jwt. I believe that verify is rejecting expired tokens.
About checking issuer and audience, indeed, it would be very nice 👍
Would you be interested in implementing it?
It sems that current version does not check JWT against exp, iat, nbf fields. So currently a given JWT does give infinite access for the user. It seems important to support this features for security reasons.
In addition,checking agains issuer and audience (if found in config) could be nice too.