Lexikjwtauthenticationbundle: Using lcobucci/jwt v4.0 breaks iat claim

Created on 10 Jan 2021  路  4Comments  路  Source: lexik/LexikJWTAuthenticationBundle

I think this issued could be almost the same as #803

public function onJWTCreated(JWTCreatedEvent $event)
{
    $payload['iat'] = time() - 15;
    $event->setData($payload);
}

Gives
Builder#withClaim() is meant to be used for non-registered claims, check the documentation on how to set claim "iat"

Most helpful comment

Thank you for the report, I'm going to release a fix for this in the next couple of days.

All 4 comments

Thank you for the report, I'm going to release a fix for this in the next couple of days.

Similar issue over here: the problem happens in

https://github.com/lexik/LexikJWTAuthenticationBundle/blob/f6c0d9a2816b52e759ed1ba0658b45786b58fdf7/Services/JWSProvider/LcobucciJWSProvider.php#L100-L144

Specifically, this line leads to the crash: https://github.com/lexik/LexikJWTAuthenticationBundle/blob/f6c0d9a2816b52e759ed1ba0658b45786b58fdf7/Services/JWSProvider/LcobucciJWSProvider.php#L144

If 'iat' is passed as one of the values of the token, this crashes.

A relatively simplistic way to verify this is by decoding a token, extracting its data (which will contain "iat") and then re-encoding it: that leads to a crash.

Thanks for the helpful details. Fix released in v2.10.6

Thanks @chalasr \o/

Was this page helpful?
0 / 5 - 0 ratings