Another token expiry issue

[pliablepixels]

Hi, thanks for this library. I'm pretty new to JWT as well as C++. I looked at this issue - not sure if its the same problem.

I'm trying a simple example:

• Generate a token for 10 minutes (token generation works, not sure about time)
• Decode token to describe claims (works)
• verify token immediately (says token expires)

Would appreciate if you could spot an issue. Thanks.

Output:

Time now is: 2019-05-03T18:27:28Z
Encoded token:eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTY5MjY2NDgsImlhdCI6MTU1NjkyNjA0OCwiaXNzIjoiYXV0aDAifQ._0pFMLEtcvB
HUR_T33eMV-l3n5pG1NRx_pIPmhHMW90
Decoded token details:iss = "auth0"
exp = 1556926648
iat = 1556926048
Validation results:oops exception:token verification failed: token expired

Code:

#include "include/jwt-cpp/jwt.h"
#include <iostream>
#include <sstream>
#include <locale>
#include <iomanip>



#define EXPIRY_MIN 10

std::string now_time()
{
  std::time_t now= std::time(0);
  std::tm* now_tm= std::gmtime(&now);
  char buf[100];
  std::strftime(buf, 100, "%Y-%m-%dT%H:%M:%SZ", now_tm);
  return buf;
}

int main(int argc, const char** argv) {
        std::tm tm = {};
        std::string now = now_time();
        std::cout << "Time now is: " << now << std::endl;
        std::istringstream iss(now);
        iss >> std::get_time(&tm, "%Y-%m-%dT%H:%M:%SZ");

        auto tp = std::chrono::system_clock::from_time_t(std::mktime(&tm));
        auto expiresAt = tp+std::chrono::minutes(EXPIRY_MIN);



        auto token = jwt::create()
                        .set_issuer("auth0")
                        .set_expires_at(jwt::date(expiresAt))
                        .set_issued_at(jwt::date(tp))
                        .sign(jwt::algorithm::hs256{"secret"});



        std::cout << "Encoded token:" << token << std::endl;

        std::cout << "Decoded token details:";
        auto decoded = jwt::decode(token);
        for(auto& e : decoded.get_payload_claims())
                std::cout << e.first << " = " << e.second.to_json() << std::endl;

        std::cout << "Validation results:";
        auto verifier = jwt::verify()
                        .allow_algorithm(jwt::algorithm::hs256{ "secret" })
                        .with_issuer("auth0");

        try {
                verifier.verify(decoded);
        }
        catch (const std::exception &exc) {
                std::cerr << "oops exception:" << exc.what() << std::endl;
        }
}

[pliablepixels]

Resolved. I was over complicating time calculation, not a problem with your library.

 .set_issued_at(jwt::date(std::chrono::system_clock::now()))          
 .set_expires_at(jwt::date(std::chrono::system_clock::now()+ std::chrono::minutes{EXPIRY}))

is the right way, it seems (as long as validation and generation happens on the same system)

[Thalhammer]

Quick side note (I already looked at it before you closed it).
The time you provide must be utc.
get_time uses the local timezone I believe while the library uses std::chrono::system_time::now() by default, which is utc. This results in the token being expired at the time of creation.
You can change the clock used by specifying a custom clock struct on the creation of the verifier, however, I strongly recommend against it, as the standard specifies utc and that would break compatibility with every other system.

[pliablepixels]

Thanks - I'm curious if it would be possible to post an example of the right way to get UTC time somewhere in your documents? I know its not related to your library, but I think it is a common requirement along with this application and an example that shows us how to correctly pick UTC everywhere will be very useful. Thank you.