mikyll commented on issue #11262: URL: https://github.com/apache/apisix/issues/11262#issuecomment-2718704708
@akshayparseja Consider that `jwt-auth` uses a library to validate the JWT: [api7/lua-resty-jwt](https://github.com/api7/lua-resty-jwt). More specifically, the line of code that indicate that the JWT must include `exp` and `nbf` claims is this one: [lib/resty/jwt.lua#L723](https://github.com/api7/lua-resty-jwt/blob/6a2dda8915a10fe7d46637d048705a5ee22b9029/lib/resty/jwt.lua#L723). ```lua claim_spec[str_const.full_obj] = jwt_validators.require_one_of({ str_const.nbf, str_const.exp }) ``` Even though I agree that the presence of `exp` claim (nor `nbf`) shouldn't be forced, this change was **not introduced recently**, as you can see [here](https://github.com/api7/lua-resty-jwt/blame/6a2dda8915a10fe7d46637d048705a5ee22b9029/lib/resty/jwt.lua#L721-L723). Probably the easiest and quickest way to obtain the behaviour you want is to write a custom version of the `jwt-auth` plugin, which doesn't require `exp` claim to be present... --- However, 2.x.x is an extremely old major version, I would say "vintage" 😄 have you considered upgrading to a more recent and supported version? 👀 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
