This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

VerifyJWS nbf check not working

Posted on 07-11-2024 05:30 AM
LBG_User
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We are using verifyjws policy and wanted to validated access-token. it is working as expected but we have recently introduced a claim called nbf . we are using as described in https://docs.apigee.com/api-platform/reference/policies/verify-jws-policy valid variable but in all cases these variable is getting true whereas for future nbf is should false. attache screen shot. 

Screenshot 2024-07-11 at 13.31.25.pngScreenshot 2024-07-11 at 13.30.58.pngScreenshot 2024-07-11 at 13.30.45.pngScreenshot 2024-07-11 at 13.30.15.png

could you please help me with the fix, this seems product issue. we are using apigeex 

Solved Solved
1 1 112
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

DecodeJWT is showing you a nbf claim that is ~10 years in the future. But VerifyJWS is succeeding. What's up?  

tl/dr: VerifyJWS does not examine the claims in the payload. 

You are doing two things. 

  • DecodeJWT to examine the claims in ... what appears to be a JWT
  • VerifyJWS to verify the signature over that payload. It works, despite the nbf being in the future.

But VerifyJWS does not verify JWT claims!  If you want to verify JWT claims, then you need to use VerifyJWT.  

A signed JWT is also a JWS. So you can use VerifyJWS on a JWT, and it will simply check the algorithm and signature.  Nothing else.  

If you want to check validity date claims like exp and nbf, or check the max lifetime of the JWT, or check other claims, then you need to use VerifyJWT. 

solution: use VerifyJWT to verify your JWT. 

 

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

DecodeJWT is showing you a nbf claim that is ~10 years in the future. But VerifyJWS is succeeding. What's up?  

tl/dr: VerifyJWS does not examine the claims in the payload. 

You are doing two things. 

  • DecodeJWT to examine the claims in ... what appears to be a JWT
  • VerifyJWS to verify the signature over that payload. It works, despite the nbf being in the future.

But VerifyJWS does not verify JWT claims!  If you want to verify JWT claims, then you need to use VerifyJWT.  

A signed JWT is also a JWS. So you can use VerifyJWS on a JWT, and it will simply check the algorithm and signature.  Nothing else.  

If you want to check validity date claims like exp and nbf, or check the max lifetime of the JWT, or check other claims, then you need to use VerifyJWT. 

solution: use VerifyJWT to verify your JWT. 

 

Jump to Solution
Top Solution Authors
View all