Description

This publicly exposed API endpoint accepts JWTs that do not include an expiration time (exp) claim. The expiration claim is a critical security control that limits the validity period of a JWT and helps mitigate the impact of token compromise.

When JWTs lack an expiration claim, several security risks arise:

1. Indefinite token validity: Tokens remain valid forever, meaning compromised tokens never expire naturally.
2. Increased exposure window: If a token is compromised (through logs, network interception, and so on), attackers have unlimited time to discover, steal, and use it.
3. No natural token rotation: Without expiration, there’s no forcing mechanism for users to obtain fresh tokens with updated permissions.
4. Compliance violations: Many security frameworks and standards require time-limited authentication tokens.

Long-lived or permanent tokens violate the principle of temporal access control and significantly increase the security risk if tokens are leaked, stolen, or compromised through various attack vectors.

Remediation

To properly implement JWT expiration controls:

1. Require expiration claim: Configure JWT validation to require the presence of the exp claim in all tokens.
2. Validate expiration time: Always check that the current time is before the expiration time specified in the token.
3. Set reasonable expiration periods: Use appropriate token lifespans based on your security requirements (for example, 1 hour for access tokens).
4. Implement token refresh: Provide a secure token refresh mechanism to allow users to obtain new tokens before expiration.
5. Clock skew tolerance: Account for reasonable clock differences between token issuer and validator (typically a few minutes).