Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
JWT: require valid
exp
claim by default
Users of JWT rightly expect tokens to be considered invalid once they expire. It is a surprise to some that this requires a change to the default configuration. In the interest of security we will now require a valid `exp` claim in tokens. Administrators can disable the check by changing `required_claims` back to the empty string. We do not add `nbf` as a required claim as it seems to not be set often in practice. closes #5046
- Loading branch information