Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid dates in JWT #1430

Closed
billriess opened this issue Mar 26, 2021 · 7 comments
Closed

Invalid dates in JWT #1430

billriess opened this issue Mar 26, 2021 · 7 comments
Labels
bug needs more info

Comments

@billriess
Copy link
Contributor

  • Passport Version: 10.1.2
  • Laravel Version: 8.33.0
  • PHP Version: 7.4
  • Database Driver & Version: MySQL 8

Description:

When validating the token issued from oauth/login the iat, nbf, and exp fields are coming back in an invalid date format that includes decimals.

Steps To Reproduce:

Create a token, validate it against something like https://jwt.io/

This is breaking in some of our apps because they are attempting to validate the JWT, the workaround, for now, is to disable validation. I believe this was introduced in Passport 10 or 10.1 but not certain.

Another person had similar issues on stack overflow: https://stackoverflow.com/questions/65129092/laravel-passport-chanage-type-of-exp-iat-and-nbf-to-int-or-float
@driesvints
Copy link
Member

Afaik this is done with OAuth2 Server. I think I saw something fly by there about Lcobucci\JWT? @Sephster @lcobucci do any of you two know more about this?

@driesvints driesvints added the bug label Mar 26, 2021
@driesvints
Copy link
Member

I see thephpleague/oauth2-server#1198 which isn't tagged yet atm. @billriess do the changes of that PR solve the issue for you?

@lcobucci
Copy link
Contributor

lcobucci commented Mar 26, 2021
edited

We already addressed that in lcobucci/jwt#706 and lcobucci/jwt#710 updating to the latest 4.x patches should solve the problem.

Also, 4.1 introduces the formatter that always use integers - it's not the default, so, users need to configure it

@lcobucci
Copy link
Contributor

Just to explain things better, time fractions are OK in jwt land. Our mistake was to represent them in strings - to not have precision issues when casting things to string (required to recreate the DateTimeImmutable object).

We've found an alternative to the casting that solves the issue and allows us to use floats - solving compatibility issues with other libs.

@driesvints
Copy link
Member

Thanks @lcobucci. @billriess can you update to the latest JWT version to see if that fixes the issue?

@billriess
Copy link
Contributor Author

Odd, I had 4.1.2 already but after updating to 4.1.4 it seems to be good now. Going to close this.

@corbosman
Copy link

Even when they are floats, in our experience talking to about 2 dozen external systems using JWTs, pretty much all of them fail on float dates (so incompatible with Laravel Passport). For those that are stuck in the integer world, my laravel-claims package also has support for custom formatters so you can just format them to ints. https://github.com/corbosman/laravel-passport-claims

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs more info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lcobucci @driesvints @corbosman @billriess