I would like to verify JWT signature and exp time but not nbf, Is there a way to do so ? #494
-
|
Main aim is to verify the signature. I'm currently using jwtVerify method, which also check for exp and nbf. I don't want to perform validation on nbf. Are there any plans to make it configurable or any temporary workaround for that ? I'm thinking to replace jwtVerify with compactVerify. I can probably tackle exp validation on my end. Can you please provide insights on this ? and Would that be okay to replace it ( Assuming jwtVerify and compactVerify will validate signature in a similar manner, it's just additional check of claims and payload in jwtVerify which is not available in compactVerify.) |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
When it comes to validating the JWT Claims Set there's no way to omit a particular timestamp claim validation. You can obviously just do |
Beta Was this translation helpful? Give feedback.
-
|
I have the similar issue. The "nbf" validation will cause an issue when the the client end time is not very accurate. It should allow the small time difference, we cannot assume all the client ends have accurate time. |
Beta Was this translation helpful? Give feedback.
-
|
You can use the clockTolerance and currentDate options to account for clock skew and desynchronized client time if you detect it. Otherwise, use compactVerify to verify the signature and proceed to validate the whole JWT Claims Set on your own using your own ruleset. |
Beta Was this translation helpful? Give feedback.
When it comes to validating the JWT Claims Set there's no way to omit a particular timestamp claim validation.
You can obviously just do
compactVerifyto verify the signature and then process the entire claims set on your own.