Verify exp claim without verifying jwt

[jamesstonehill]

There is no way to verify the exp claim without verifying the JWT. It would be nice to be able to verify a specific claim.

exp = Time.now.to_i - 4 * 3600
exp_payload = { exp: exp }

token = JWT.encode exp_payload, 'asdf', 'HS256'

# This does not verify the expiration
decoded_token = JWT.decode token, nil, false, { verify_expiration: true }

decoded_token = JWT.decode token, nil, true, { verify_expiration: true }
# => No verification key available (JWT::DecodeError)

[excpt]

Hi @jamesstonehill,

Thanks for the detailed report.

I'll label this as a feature request.

The currently the verification will only check claims when the signature can be verified.

The only workaround for this is extracting the payload and handle it using custom code.

payload, header = JWT.decode token, nil, false

puts payload.inspect

[gchapim]

👍 to this

[jamesstonehill]

I opened a PR for this issue #287

[wenderjean]

Since this issue was attended by pull request #295, can we closed it? @excpt

[excpt]

@wenderjean Cleary yes. :)

[dkam]

Is it by design that verification passes when verify_expiration: true is given, but there's no expiry set in the token?

I want to ensure that an exp is set and this seemed like a good way to achieve that. I'm aware that I can check exp exists in the payload after decoding, but I liked the idea of JWT raising an exception if verify_expiration: true was given with no exp.

[danleyden]

@dkam I believe this is intentional and correct behaviour. Because the exp claim is optional (see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4) the token is not considered to have expired if there is no exp claim. The verify_expiration option is there to allow you to ignore the claim in the unusual case that you need to.

If your policy is to require an exp claim, you need to specify it as a required claim - see https://github.com/jwt/ruby-jwt#required-claims

[dkam]

Thank @danleyden - required claim does exactly what I was after.