How to validate access token that expired?

[jcubic]

It seems that the library changed the way it checks for expired tokens from manual handling to throwing exceptions. And now you can put a random JWT token as an expired token if you obtain a refresh token. I think this is a huge flaw in the library.

I wanted to validate that all data are there and manually check if the token expired so I can confirm that the old token was valid when it was valid and it's not a random token.

Because you can't validate expired tokens, both access and refresh tokens need to have exact same claims because you can't recreate a new access token based on an old one.

[bshaffer]

the library changed the way it cheks for expired tokens from manual handling to exceptions

We did not change the way we handle expired tokens. This library has always thrown exceptions when a token has expired. We did change when the iat header is validated (see #493) recently, but this would result in fewer JWTs throwing exceptions.

now you can put a random JWT token as an expired token if you obtain a refresh token.

This library does not support "refresh tokens". Any use of this library in refresh tokens is being implemented by a library or application outside of this library.

If you can provide us with an example of how you think the library changed, we can take a look. However I believe you are confused as to which library this is, and maybe it's a different library which changed behavior.

[jcubic]

I was reading this article How to Secure a PHP API Using JWT that shows this code:

use Firebase\JWT\JWT;
...
$secret_Key  = '68V0zWFrS72GbpPreidkQFLfj4v9m3Ti+DXc8OB0gcM=';
$token = JWT::decode($jwt, $secret_Key, ['HS512']);
$now = new DateTimeImmutable();
$serverName = "your.domain.name";

if ($token->iss !== $serverName ||
    $token->nbf > $now->getTimestamp() ||
    $token->exp < $now->getTimestamp())
{
    header('HTTP/1.1 401 Unauthorized');
    exit;
}

So I assume this is the valid code that checks the expiration of the token, and because it doesn't work and throws an exception when the token expires, I assume that the API changed. And I know that you don't support refresh tokens, I have my own implementation of refresh tokens but I would like to verify that the token it valid and expired at the same that. I need to implement secure Authentication.

[bshaffer]

I don't know why that blog is having you check nbf / exp - we already check these fields in the JWT::decode method:

nbf

php-jwt/src/JWT.php

Lines 155 to 159 in 3936842

	if (isset($payload->nbf) && floor($payload->nbf) > ($timestamp + static::$leeway)) {
	throw new BeforeValidException(
	'Cannot handle token prior to ' . \date(DateTime::ISO8601, (int) $payload->nbf)
	);
	}

exp

php-jwt/src/JWT.php

Lines 171 to 173 in 3936842

	if (isset($payload->exp) && ($timestamp - static::$leeway) >= $payload->exp) {
	throw new ExpiredException('Expired token');
	}

As for the iss, this is something you would need to check in your own application (as they have there).

So yes, it seems like that post is incorrect. This library throws exceptions, and you should wrap the calls to decode in a try/catch in order to log/validate them. Good luck!

[jcubic]

OK, thanks for the explanation.