Hi All, At present TomEE will reject JWT tokens where the exp claim is a timestamp that is in the past. We also reject tokens where there is no exp claim at all.
I propose adding a setting which will allow tokens without an exp claim to be accepted (see https://tools.ietf.org/html/rfc7519#section-4.1.4 - using exp is optional). The current behavior (not allowing a token without an exp claim) would be the default, and the option to allow tokens without an exp would need to be explicitly enabled. Are there any objections? Jon