`auth_jwt_require_claim` vs `auth_jwt_validate_exp`

[col-panic]

Could it be, that if I configure the location like this

 auth_jwt_require_claim realm_access.roles intersect json=["medelexis-ee-report-viewer"];

it is not verified if the token is expired? I don't entirely understand the documentation

Do not process if verified by auth_jwt_require_claim directive

but in practice this seems to be the case?!

If yes, why? Could we better document this? Can I stil validate if the token is expired despite testing
for the claim?

[kjdev]

auth_jwt_require_claim validation is performed before auth_jwt_validate_exp validation of exp claim.

If auth_jwt_require_claim validates the exp claim, auth_jwt_validate_exp does not validate it.

[col-panic]

In my opinion this is a high severity security flaw. Both auth_jwt_key_request and exp must always be valid.
According to https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4 a JWT after expiration of exp MUST NOT be accepted for processing.

• What is the purpose of setting the option auth_jwt_validate_exp to false?
• Just imagine the following example: We had a user A in 2023 and he once got a valid JWT, now he is able to access the service forever?

[col-panic]

Same accounts for auth_jwt_validate_sig I always expect, that if i set a public key - it is necessary to be validated! I never explicitely tried, whether this assumption really holds!

In addition, a JWT without a signature should not be accepted at all! See e.g. https://blog.pentesteracademy.com/hacking-jwt-tokens-the-none-algorithm-67c14bb15771 the alg none attack!

[kjdev]

I understand the JWT specification.
Therefore, exp and sig validation is enabled by default.

However, it is up to the user how to use them, so they can be toggled (e.g. auth_jwt_leeway).

[kjdev]

For the same reason, I used to incorporate iss, sub, iat claim checks, but I have removed them now.
If necessary, you can use auth_jwt_require_claim to set up validation rules.

[col-panic]

sorry, but I'm confused - we deviated from the original question?! Maybe I need to change it: How does auth_jwt_require_claim validate the exp claim?

[kjdev]

fyi: https://github.com/kjdev/nginx-auth-jwt/blob/main/t/auth_jwt_validation_claim_exp.t