can't check that a JWT has an expiry defined in the verify function

[andyedwardsibm]

On the verify function, I can set the verification options to check the issuer, audience etc. These trigger a verification failure if the field is either wrong or completely missing. But there is no way to insist that there is an expiry in the claims.

I thought that I could set ignoreExpiration to false and force the verification to check, but it seems that the ignoreExpiration option only has an effect (and the expiry is only checked) if the exp field exists in the claims.

[jfromaniello]

indeed, this could be a good opt-in feature and maybe the default on the next major release.

[ensonik]

+1

This is actually pretty dangerous; If I explicitly state that expiration should be validated, I don't expect a token to be valid if no expiration is passed.

[DavidOVM]

what about checking that the decoded object contains "exp" field?
if (err || !decoded.exp) { return error }

[BigFab]

Hi, any news on this one? Thank you!