Is it possible to verify if a JWE token has expired? or set an expiry time for a JWE token? #299
-
|
Just like JWTs where they have an expiration time, is it possible with jose? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
JWEs just like JWSs do not have expiration. JWT in either JWS or JWE syntax do. And for JWT using JWE syntax there's a module. 12. Be sure to choose the right algorithm for encrypted JWEs tho. They only really make sense if you're both the issuer and recipient, the alg: dir and enc: A256GCM is a good fit then. Otherwise Signed JWTs are really superior in being able to provide non-repudiation. Footnotes |
Beta Was this translation helpful? Give feedback.
-
|
Although this is true, it is not an exact answer. It is possible for an encrypted token (JWE) or a signed token (JWS) to have an expiration time. With replicated claims, it is possible for your application to know if the token has expired by reading the |
Beta Was this translation helpful? Give feedback.
-
|
But in order for a claim to be replicated the token first needs to be a JWT in a JWE syntax. That's fine and such token can obviously have an expiration, it's a JWT. OTOH JWE or JWS with arbitrary payloads / plaintexts have nothing to replicate. |
Beta Was this translation helpful? Give feedback.
-
I agree with that, but nothing prevent from using the |
Beta Was this translation helpful? Give feedback.
JWEs just like JWSs do not have expiration. JWT in either JWS or JWE syntax do. And for JWT using JWE syntax there's a module. 12. Be sure to choose the right algorithm for encrypted JWEs tho. They only really make sense if you're both the issuer and recipient, the alg: dir and enc: A256GCM is a good fit then. Otherwise Signed JWTs are really superior in being able to provide non-repudiation.
Footnotes
https://github.com/panva/jose/blob/v4.1.1/docs/classes/jwt_encrypt.EncryptJWT.md ↩
https://github.com/panva/jose/blob/v4.1.1/docs/functions/jwt_decrypt.jwtDecrypt.md ↩