I've created a proxy in which I added a VerifyJWT policy. Basically it just verifying the JWT with a given RSA Public Key and it is working fine. However i noticed the variable is_expired = false, but when I saw the value of the expiry_formatted, it should be expired.
Note: This was executed 2018-04-17
What do i need to add on the policy?
I would really appreciate your help on this.
Thanks,
Joemar Gealogo
I think nothing is wrong. The VerifyJWT policy will not verify a JWT that is expired.
The expiry_formatted value that you see is expressed in UCT. That may be the source of your misunderstanding. Maybe you are interpreting that as local time. I am guessing so, because when you said
This was executed 2018-04-17
..you didn't mention the time or the timezone.
I can see that the expiry time displayed was: 2018-04-16 22:17:19 +0000
RIGHT NOW, as I type this response, it is 2018-04-16 19:55:00 +000 . (you can find this here) In other words, your JWT is STILL not expired. It will expire in about 2 hours and 22 minutes.
If you are in the IST timezone, or anywhere that is "ahead" of UTC by 2.5 hours or so, then it may be 2018-04-17 locally, but the token is still not expired.
The key unknown in your post is "exactly what time was it on 2018-04-17?" and "what time zone is that time relative to?"
----
This might also help: If you scroll down on your Trace UI, there should be another variable "time_remaining_formatted". It will show you the time remaining in an HH:MM:SS format. Also there is another variable, "seconds_remaining". That will show you an integer number of seconds until the expiry of the JWT. These are set only if the JWT includes an exp claim .
Thanks for answering my question. Though, i've check the remaining time and it is negative value. Please see below.
What does this means?
Also what policy or strategy should i use to check if the token was already expired?
Thanks.
I already found a way to check if the token was already expired.
I added a Step with a Condition that is checking if jwt.verify-jwt.seconds_remaining LesserThanOrEquals 0, and it works as expected.
In case you know the best practice for this, just let me know.
Thanks,
Joemar