Solved: Re: GenerateJWT: Exp claim missing in jwt token wh...

bnaniwadekar · 12-02-2024 08:10 AM

Platform: ApigeeEdge

When using GenerateJWT policy to generate a JWT token, exp claim is not set when the ExpiresIn property value is set to less than 1 second. Apigee Edge appears to silently ignore this value (between 1-999ms) and as a result it generates a jwt with no exp claim, which means it never expires.

I did not find any documentation regarding this behavior and not sure whether it is a bug.

If ExpiresIn value is something the engine does not like, then instead of silently ignoring it and not setting the exp claim poses a security risk.

dchiesa1

They'll probably ask you for a test case that reproduces what you are observing. I tried my test ^^ attached above in Apigee Edge, and observed what you observed.

I expect that the support and engineering team will assign a lower priority since it's not impeding your work.

View solution in original post

dchiesa1

What you are reporting does not happen in Apigee X. (See attached proxy)

When I use values like 120ms or 500ms for the expiry, I get an exp claim in the resulting JWT.

If this is impeding your deployment, You will want to file a bug for this behavior, I guess.

bnaniwadekar

Thank you for your reply.

This is not immediately impeding however I will go ahead and file a bug report.

dchiesa1

They'll probably ask you for a test case that reproduces what you are observing. I tried my test ^^ attached above in Apigee Edge, and observed what you observed.

I expect that the support and engineering team will assign a lower priority since it's not impeding your work.

bnaniwadekar

Thanks much for confirming.

GenerateJWT: Exp claim missing in jwt token when ExpiresIn is set to less than 1 second