Passport: Invalid dates in JWT

Created on 26 Mar 2021  路  7Comments  路  Source: laravel/passport


  • Passport Version: 10.1.2
  • Laravel Version: 8.33.0
  • PHP Version: 7.4
  • Database Driver & Version: MySQL 8

Description:

When validating the token issued from oauth/login the iat, nbf, and exp fields are coming back in an invalid date format that includes decimals.

Steps To Reproduce:

Create a token, validate it against something like https://jwt.io/

This is breaking in some of our apps because they are attempting to validate the JWT, the workaround, for now, is to disable validation. I believe this was introduced in Passport 10 or 10.1 but not certain.

Another person had similar issues on stack overflow: https://stackoverflow.com/questions/65129092/laravel-passport-chanage-type-of-exp-iat-and-nbf-to-int-or-float

bug needs more info
Source
picture billriess

All 7 comments

Afaik this is done with OAuth2 Server. I think I saw something fly by there about Lcobucci\JWT? @Sephster @lcobucci do any of you two know more about this?

driesvints picture driesvints on 26 Mar 2021

I see https://github.com/thephpleague/oauth2-server/pull/1198 which isn't tagged yet atm. @billriess do the changes of that PR solve the issue for you?

driesvints picture driesvints on 26 Mar 2021

We already addressed that in https://github.com/lcobucci/jwt/pull/706 and https://github.com/lcobucci/jwt/pull/710 updating to the latest 4.x patches should solve the problem.

Also, 4.1 introduces the formatter that always use integers - it's not the default, so, users need to configure it

lcobucci picture lcobucci on 26 Mar 2021

Just to explain things better, time fractions are OK in jwt land. Our mistake was to represent them in strings - to not have precision issues when casting things to string (required to recreate the DateTimeImmutable object).

We've found an alternative to the casting that solves the issue and allows us to use floats - solving compatibility issues with other libs.

lcobucci picture lcobucci on 26 Mar 2021
👍1

Thanks @lcobucci. @billriess can you update to the latest JWT version to see if that fixes the issue?

driesvints picture driesvints on 26 Mar 2021

Odd, I had 4.1.2 already but after updating to 4.1.4 it seems to be good now. Going to close this.

billriess picture billriess on 26 Mar 2021
👍1

Even when they are floats, in our experience talking to about 2 dozen external systems using JWTs, pretty much all of them fail on float dates (so incompatible with Laravel Passport). For those that are stuck in the integer world, my laravel-claims package also has support for custom formatters so you can just format them to ints. https://github.com/corbosman/laravel-passport-claims

corbosman picture corbosman on 7 Apr 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

raksrivastava picture raksrivastava  路  3Comments
ghost picture ghost  路  3Comments
brryfrmnn picture brryfrmnn  路  3Comments
MarkVilludo picture MarkVilludo  路  3Comments
s4uron picture s4uron  路  3Comments