Using JWTEncoderInterface to decode a token and ignoring Expired about lexikjwtauthenticationbundle HOT 3 CLOSED

I like the idea of having a way of refreshing the token, I haven't seen anything about it in the JWT RFC but it might be worth it to implement it.

Currently, the method that validates the token validity is the JWS::isValid from the namshi jose library which checks both token integrity and expiration. Removing the exp key (using the JWTCreatedEvent) from the token should bypass that problem.

In the next release, we could set the token expiration check optionnal. Globally or on a firewall specifically. Along with a refresh mecanism.

from lexikjwtauthenticationbundle.

Instead of removing the 'exp' key, which is something that you don't want removed as every JWT token should ideally have it, I have extended JWTEncoder and added the following function to it.

    /**
     * @param string $token The token string
     *
     * @return array|bool
     */
    public function decodeIgnoreExpired($token)
    {
        try {
            /** @var JWS $jws */
            $jws = JWS::load($token);
        } catch (\InvalidArgumentException $e) {
            return false;
        }

        if (!$jws->verify($this->getPublicKey())) {
            return false;
        }

        return $jws->getPayload();
    }

This only verifies integrity and ignores expiration.

Also, since there's no RFC for implementing refresh, I believe you should leave out of your bundle for a while.. but make it possible for somebody to implement the refresh endpoint on their own accord. (I had to do quite a bit of overriding to implement a refresh token endpoint).

from lexikjwtauthenticationbundle.

Good ! You're right, I don't think refresh should be implemented directly in the bundle. A simple recipe in the documentation should suffice. You're welcome to share your experience :)

from lexikjwtauthenticationbundle.