thephpleague · alexbilbie · Apr 9, 2016 · Mar 31, 2016
diff --git a/src/AuthorizationValidators/BearerTokenValidator.php b/src/AuthorizationValidators/BearerTokenValidator.php
@@ -3,6 +3,7 @@
 namespace League\OAuth2\Server\AuthorizationValidators;
 
 use Lcobucci\JWT\Parser;
+use Lcobucci\JWT\ValidationData;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Exception\OAuthServerException;
@@ -47,6 +48,14 @@ public function validateAuthorization(ServerRequestInterface $request)
                 throw OAuthServerException::accessDenied('Access token could not be verified');
             }
 
+            // validate
+            $data = new ValidationData();
+            $data->setCurrentTime(time());
+
+            if ($token->validate($data) === false) {
+                throw OAuthServerException::accessDenied('Access token is invalid');
+            }
+
             // Check if token has been revoked
             if ($this->accessTokenRepository->isAccessTokenRevoked($token->getClaim('jti'))) {
                 throw OAuthServerException::accessDenied('Access token has been revoked');