Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

token is still alive, when "exp" = NOW #646

Closed
taisuke-fujimoto opened this issue Dec 9, 2022 · 2 comments · Fixed by #652
Closed

token is still alive, when "exp" = NOW #646

taisuke-fujimoto opened this issue Dec 9, 2022 · 2 comments · Fixed by #652
Labels
needs investigation An issue that has more questions to answer or otherwise needs work to fully understand the issue

Comments

@taisuke-fujimoto
Copy link

Describe the problem

I tried with the code below, but no exception occurred. (TokenExpiredException occurs when Clock is +1 second)
This means that token lifetime is NOW <= "exp"

// kotlin code
val expiresAt = Instant.now()
val token = JWT.create()
    .withExpiresAt(expiresAt)
    .sign(Algorithm.HMAC256("test"))

val verifier = (JWT.require(Algorithm.HMAC256("test")) as JWTVerifier.BaseVerification)
    .build(Clock.fixed(expiresAt, ZoneId.of("UTC")))

verifier.verify(token)

Shouldn't the token lifetime be NOW < "exp"?

I think this description is correct.
https://github.com/auth0/java-jwt/blob/master/EXAMPLES.md#datetime-claim-validation

Environment

  • Version of this library used: 4.2.1
  • Version of Java used: 11
  • Other modules/plugins/libraries that might be involved: Kotlin 1.7.22
@jimmyjames jimmyjames added the needs investigation An issue that has more questions to answer or otherwise needs work to fully understand the issue label Dec 19, 2022
@jimmyjames
Copy link
Contributor

Hey @taisuke-fujimoto, thanks for the issue and test case. Yes, the specification states that the exp must be before the current time, so it looks like there is an off-by-1 second here.

@justeff
Copy link

justeff commented Jan 24, 2023
edited
Loading

The problem is in the assertInstantIsFuture method.

The specification states:
The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.

That means:

  • A token isn't expired and valid if NOW < exp
  • A token is expired if NOW >= exp

The method assertInstantIsFuture checks for a valid token with:

  • !now.isAfter(exp) => !(NOW > exp)

The correct way should be:

  • NOW < exp => now.isBefore(exp)

@jimmyjames jimmyjames mentioned this issue Jan 26, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs investigation An issue that has more questions to answer or otherwise needs work to fully understand the issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix for exp claim considered valid if equal to now auth0/java-jwt
3 participants
@jimmyjames @taisuke-fujimoto @justeff