0

To begin with, please understand that I have little formal training in Front Stack development. I've had to learn a lot on the job, and our only experienced developer left about a year ago, so I very well might not know something I should.

My current cunumdrum is that I don't know how to check when a JWT token I have has expired, that I did not create. How would I know? Since I don't know the secret used to generate it. I could possibly just record when I made the request for the token(s), and how long I made the timeout, but I wonder if there will be a disconnect between when I made the request and time the token acttualy expires.

I ask, because I don't want to randomly call to refresh any of these tokens. Only when they expire.

If it helps, we are using Python 3.6 in the backend and making a request to Signal Wire for the tokens

Thanks in advance

J. Finn
  • 129
  • 1
  • 11

1 Answers1

1

A JWT token usually has three parts, each of them being base64-encoded. The payload part usually holds an expiration date as seconds since 1970-01-01.

This could be a token:

eyJhbGciOiAiSFMyNTYiLCJ0eXAiOiAiSldUIn0.eyJleHAiOiAxNTM2MzYxNDExLCJ1c2VybmFtZSI6ICJBYmUgTGluY29sbiIsInByZWZlcnJlZF91c2VybmFtZSI6ICJBYmVMaUBtaWNyb3NvZnQuY29tIn0.c2Rmc2FkZmFzZmRzYWZkYXNmZA

Each of the parts (separated by a dot) can be base64-decoded (as https://jwt.io/ does):

  1. Header - usually algorithm and token type, e.g.:
    {
      "alg": "HS256",
      "typ": "JWT"
    }
  1. Payload - whatever content the token has, usually some information on the user ID and the expiration date of the token, e.g:
    {
      "exp": 1536361411,
      "username": "Abe Lincoln",
      "preferred_username": "AbeLi@microsoft.com"
    }
  1. Signature: some binary value

A token usually even gives you enough information to retrieve the signing key. See the answer on How does JWT.io already know my public key? for more details or dig into the OpenID Connect Discovery Protocol for full understanding.

user13249425
  • 46
  • 5