You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Installing the newest version from source and using e.g. the minimal configuration from the readme, the module accepts just any value given as AuthJWTIss and does not mind the expiration time. Access is only denied if the token is completely wrong.
The text was updated successfully, but these errors were encountered:
It was a misconfiguration of the token. iss and exp was in the header instead of the payload. But I'm not sure a token should be accepted as valid when AuthJWTIss / AuthJWTExpDelay is set, but iss / exp is missing.
The AuthJWTExpDelay and AuthJWTIss are only used to issue tokens.
However, it is a good point. If there is a configured issuer and expiration delay, it's important to validate them afterwards. I will have a look on the code to check this behavior.
Installing the newest version from source and using e.g. the minimal configuration from the readme, the module accepts just any value given as AuthJWTIss and does not mind the expiration time. Access is only denied if the token is completely wrong.
The text was updated successfully, but these errors were encountered: