claims invalid after debugging at <https://jwt.io/>

[alvarengacarlos]

Hello . After making use of its classes and obtaining a token, I debug https://jwt.io/ and the following registered claims are considered invalid: "iat", "nbf", "exp".

The obtained token is as follows:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAiLCJqdGkiOiIxIiwiaWF0IjoiMTYxNDE3NDY0OC43OTkzMTAiLCJuYmYiOiIxNjE0MTc0NzA4Ljc5OTMxMCIsImV4cCI6IjE2MTQxNzQ3NjguNzk5MzEwIiwidXNlcklkIjoxLCJ1c2VybmFtZSI6IkNhcmxvcyJ9.5Nbc_aTjzrmFDfuGhC707QXxicreXLRKVT42qBY_HXg

the key is 'key'.

Code:

namespace App\Service\Auth\TokenProvider;

use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Signer\Hmac\Sha256;
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Validation\RequiredConstraintsViolated;

class TokenProvider
{

    public function createToken(int $userId, string $username)
    {
        $config = $this->createConfiguration();
        
        $now   = new \DateTimeImmutable();
        $token = $config->builder()
                        // Configures the issuer (iss claim)
                        ->issuedBy('http://localhost:8080')
                        // Configures the audience (aud claim)
                        #->permittedFor('http://example.org')
                        // Configures the id (jti claim)
                        ->identifiedBy($userId)
                        // Configures the time that the token was issue (iat claim)
                        ->issuedAt($now)
                        // Configures the time that the token can be used (nbf claim)
                        ->canOnlyBeUsedAfter($now->modify('+1 minute'))
                        // Configures the expiration time of the token (exp claim)
                        #->expiresAt($now->modify('+1 hour'))
                        ->expiresAt($now->modify('+2 minute'))                        
                        // Configures a new claim, called "uid"                        
                        ->withClaim('userId', $userId)
                        ->withClaim('username', $username)                        
                        // Configures a new header, called "foo"
                        #->withHeader('foo', 'bar')
                        // Builds a new token
                        ->getToken($config->signer(), $config->signingKey());

        return $token;
    }

    public function validateToken(string $userToken)
    {
        
        $config = $this->createConfiguration();

        $token = $config->parser()
                        ->parse($userToken);

        $constraints = $config->validationConstraints();

        if (! $config->validator()->validate($token, ...$constraints)) {
           throw new RuntimeException('No way!');
        }          
    }

    private function createConfiguration()
    {
        $config = Configuration::forSymmetricSigner(
            // You may use any HMAC variations (256, 384, and 512)
            new Sha256(),
            // replace the value below with a key of your own!
            #InMemory::base64Encoded('YSB2ZXJ5IGxvbmcgYSB2ZXJ5IHVsdHJhIHNlY3VyZSBrZXkgZm9yIG15IGFtYXppbmcgdG9rZW5z')
            InMemory::plainText('key')
            // You may also override the JOSE encoder/decoder if needed by providing extra arguments here
        );

        return $config;
    }
}

[Slamdunk]

Duplicate of #618

Also take a look at #623

[lcobucci]

Hello folks, thanks to @yassinrais we managed to fix this compatibility issue whilst still preserving the microseconds precision. We already released new versions to solve the problem.