New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add "exp" to mandatory JWT claims #5046
Comments
We used to validate the
I agree with you that |
Thank you for your quick reply, I agree that sticking to the spec here makes sense. And also to differentiate between claims that are required for the fundamental usability of the tokens by the app ( |
comparing to another JWT library; https://github.com/G-Corp/jwerl/blob/6e778543ef7470e9e8ae32700f5e5a8cc25e00a4/src/jwerl.erl#L115
that |
Interesting piece of code, so by default they just skip the checks of some important properties (could have just returned ok instead ). The reason why I stopped by here initially is that while having worked with several applications validating JWTs using different libs for that, none of them required me to configure these checks but implemented them as defaults. That's kind of the expected behavior. |
Users of JWT rightly expect tokens to be considered invalid once they expire. It is a surprise to some that this requires a change to the default configuration. In the interest of security we will now require a valid `exp` claim in tokens. Administrators can disable the check by changing `required_claims` back to the empty string. We do not add `nbf` as a required claim as it seems to not be set often in practice. closes #5046
Users of JWT rightly expect tokens to be considered invalid once they expire. It is a surprise to some that this requires a change to the default configuration. In the interest of security we will now require a valid `exp` claim in tokens. Administrators can disable the check by changing `required_claims` back to the empty string. We do not add `nbf` as a required claim as it seems to not be set often in practice. closes #5046
Users of JWT rightly expect tokens to be considered invalid once they expire. It is a surprise to some that this requires a change to the default configuration. In the interest of security we will now require a valid `exp` claim in tokens. Administrators can disable the check by changing `required_claims` back to the empty string. We do not add `nbf` as a required claim as it seems to not be set often in practice. closes #5046
Users of JWT rightly expect tokens to be considered invalid once they expire. It is a surprise to some that this requires a change to the default configuration. In the interest of security we will now require a valid `exp` claim in tokens. Administrators can disable the check by changing `required_claims` back to the empty string. We do not add `nbf` as a required claim as it seems to not be set often in practice. closes #5046
Users of JWT rightly expect tokens to be considered invalid once they expire. It is a surprise to some that this requires a change to the default configuration. In the interest of security we will now require a valid `exp` claim in tokens. Administrators can disable the check by changing `required_claims` back to the empty string. We do not add `nbf` as a required claim as it seems to not be set often in practice. closes #5046
Summary
As I implemented JWT auth for CouchDb, I stumbled upon the "exp" claim being optional and not checked if not configured explicitly.
As long-lived or never expiring JWT tokens are most likely not what you (should) want when working with them, I would expect that claim to be part of standard validation behavior.
Making it optional might lead people to think it's ok to neglect it.
Desired Behaviour
This claim should be mandatory by default, as JWTs should be short lived following the concept.
If someone actually wants to make their tokens last forever, they would have to actively make a bad decision rather than passively making it by not carefully reading the documentation, not testing properly or a lack of conceptual understanding of JWT auth.
Possible Solution
Please consider adding "exp" to the mandatory claims alongside "alg" and "sub".
If it has to stay possible to disable the check for a (good) reason, please add a configuration opportunity to disable the default exp check.
If you do not want to implement this, please emphasize that ignoring "exp" is a bad idea in the documentation.
Additional context
Security is not everybody's favorite topic. "Do my tokens really have to be short lived" is a common question beginners have. As a community, we should help pointing people in the right direction by defining sensible defaults and implementing best practices to promote the proper design of things.
Acknowledgements
Anyways, thank you for your time and work on this great product!
The text was updated successfully, but these errors were encountered: