Format of Tokens returned now including microseconds

[livingos]

• Passport Version: 10.1.0
• Laravel Version: 8.21.0
• PHP Version: 7.4
• Database Driver & Version: n/a

Description:

The format of timestamps in tokens returned from passport have changed. This is due to the underlying package, lcobucci/jwt which is now including microseconds.

Before lcobucci/jwt 4.0, they looked like this:

{
  "aud": "8ee3248538ff43dcadc781951570d723",
  "jti": "b51a0da2e154e5d4d23ef6180ff28ec8772aa57fc79c46460259e34bb2f569332550e2883d575a15",
  "iat": 1610366303,
  "nbf": 1610366303,
  "exp": 1610366303,
  "sub": "3",
  "scopes": [
    "*"
  ]
}

now:

{
  "aud": "8ee3248538ff43dcadc781951570d723",
  "jti": "071757049a903ba0087a20091efa26ed0e0f591047a3aa7c472018a87293114dc4a2336c3ff3bd3a",
  "iat": "1610376242.152245",
  "nbf": "1610376242.152245",
  "exp": "1610383442.123882",
  "sub": "3",
  "scopes": [
    "*"
  ]
}

Timestamps now include microseconds and are also returned as strings.

This has a direct impact on any services using the tokens obtained from passport. E.g. validating passport tokens in another service which previously worked results in the token being deemed invalid.

For example if your other service is using something like firebase/php-jwt you will get a BeforeValidationException every time you try to verify a token since iat (1610383442.123882) is now always greater than current timestamp (1610383442).

Also, worth noting that Passport uses firebase/php-jwt for decoding Jwt Token Cookies but the rest of the time relies on lcobucci/jwt via league/oauth2-server.

I haven't tested, but I would suspect that jwt token cookies will no longer work either since firebase/php-jwt assumes timestamps are integers.

See also lcobucci/jwt#623.

Steps To Reproduce:

Create a JWT in Passport.
Decode and verify the token in another service using firebase/php-jwt.
You get a BeforeValidationException.

[driesvints]

It seems that this is an issue that's already been addressed in JWT if I read the linked issue correctly? Should just wait for a new release I think.

[softwarespot]

This also extends to other packages/languages e.g. I am using jwt-go, and this broke one of our applications, because it was expecting a float64, not a string. This isn't just affecting the Laravel ecosystem, but other ecosystems too, who use these tokens issued by passport.

Thanks for listening

[Sephster]

Why are you using tokens generated by passport with another oauth server? Interested in the use case here

[softwarespot]

Good question, we have a CLI application written in Go which communicates with our PHP service (written using Laravel) and so we use the token when communicating with this service. One feature with this CLI is we show the tokens locally stored and their expiration time, which broke when I realised that "exp" was a string not a number. Hope that helps?

[Sephster]

Ahh I see. It looks like you've tracked down the issue and it will be resolved in an upcoming version of the JWT package lcobucci/jwt#618. Until then, I think devs will have to implement a custom override. Thanks for the explanation.