Module accepts any issuer and expiration #50
Comments
|
It was a misconfiguration of the token. iss and exp was in the header instead of the payload. But I'm not sure a token should be accepted as valid when AuthJWTIss / AuthJWTExpDelay is set, but iss / exp is missing. |
|
The AuthJWTExpDelay and AuthJWTIss are only used to issue tokens. However, it is a good point. If there is a configured issuer and expiration delay, it's important to validate them afterwards. I will have a look on the code to check this behavior. Any pull request is welcome. Anthony |
|
Hello, Any news on this ? Do you plan to work on ? Thank's you in advance |
FWIW, the examples in the README imply that AuthJWTIss is relevant when validating tokens also. https://github.com/AnthonyDeroche/mod_authnz_jwt#authorization |
Installing the newest version from source and using e.g. the minimal configuration from the readme, the module accepts just any value given as AuthJWTIss and does not mind the expiration time. Access is only denied if the token is completely wrong.
The text was updated successfully, but these errors were encountered: