Jwt-auth: JWT_TTL=null means I can't create a token

Created on 9 Dec 2015 · 5Comments · Source: tymondesigns/jwt-auth

I'm using the "0.6@dev" branch, and I've set JWT_TTL=null in my .env file. In my authentication controller, after the sign in via credentials (user, pass), I want to add a JWT to the response headers:

try {
    $token = $this->JWTAuth->fromUser($user);
    $headers = [
        'Authorization' => 'Bearer ' . $token
    ];
} catch (JWTException $e) {
    dd($e);
}

This block fails with a TokenInvalidException: "JWT payload does not contain the required claims". Indeed, there is no "exp" claim, and therefore the call to Tymon\JWTAuth\Validators\PayloadValidator@validateStructure() fails:

    protected $requiredClaims = ['iss', 'iat', 'exp', 'nbf', 'sub', 'jti'];

    ...

    protected function validateStructure(array $payload)
    {
        if (count(array_diff($this->requiredClaims, array_keys($payload))) !== 0) {
            throw new TokenInvalidException('JWT payload does not contain the required claims');
        }

        return true;
    }

I haven't solved this the way it was done in #329 by overloading the payload binding ... mostly because it sounded like it was solved. But I guess not? Or am I doing something wrong?

Source

cviebrock

Most helpful comment

Gah ... if you want non-expiring tokens, you need to set JWt_TTL=null in your environment file, _and_ you need to remove 'exp' from the list of required claims in your configuration file:

    'required_claims' => ['iss', 'iat', 'nbf', 'sub', 'jti'],

Hopefully that gets documented. :)

cviebrock on 9 Dec 2015

👍22 ❤12 🎉5 🚀3

All 5 comments

Gah ... if you want non-expiring tokens, you need to set JWt_TTL=null in your environment file, _and_ you need to remove 'exp' from the list of required claims in your configuration file:

    'required_claims' => ['iss', 'iat', 'nbf', 'sub', 'jti'],

Hopefully that gets documented. :)

cviebrock on 9 Dec 2015

👍22 ❤12 🎉5 🚀3

Yep I will be sure to mention that, Thanks

tymondesigns on 9 Dec 2015

@tymondesigns I realize this has been closed and I apologize for bringing this up but I have a situation where I need both. We have a one-off user that wants a one time non-expiring token while everybody else will just authenticate and get a new token every time. This fix seems to be a one or the other method. Is there any way to implement both within the same application?

bgarrison25 on 16 Mar 2016

@tymondesigns Can we somehow dynamically call setRequiredClaims and setTTL to be able to remove 'exp' claim when in need of permanent token, but have them in default claims for every other creation.

I tried suggestions like
JWTAuth::factory()->validator()->setRequiredClaims(['iss', 'iat', 'nbf', 'jti']);
JWTAuth::factory()->setTTL(null);

or
JWTAuth::factory()->setDefaultClaims(['iss', 'iat', 'nbf', 'jti'])

or
$payload = JWTFactory::setRefreshTTL(null)->setTTL(null)->setRequiredClaims(['iss', 'iat', 'nbf', 'sub', 'jti'])->make(['sub' => $this->id, 'foo' => ''bar]);

but they don't work for me. Claim 'exp' is always set to date of creation, which means expired.