Timestamps are now strings with microseconds division?

[jgivoni]

After upgrading from lcobucci/jwt v3 to v4 the service I'm sending a JWT to is now saying it's invalid.
I tracked down the difference in the token (before base64 encoding) between before and after to this:

Before, v3:

{
	"iat":1609849552,
	"exp":1609853152,
}

After, v4:

{
    "iat":"1609849310.182205",
    "exp":"1609852910.182205",
}

So it seems that timestamps (NumericDate in RFC7519) are now floats, encoded as string instead of integers.

I assume this is not a bug but intentional, but can I please have some advice on how to handle this when my service provider doesn't seems to like the new format?

This is a snippet of the code I'm using (as taken from the example on the website):

$now = new DateTimeImmutable();
    $config = \Lcobucci\JWT\Configuration::forSymmetricSigner(new \Lcobucci\JWT\Signer\Hmac\Sha256(),
        \Lcobucci\JWT\Signer\Key\InMemory::plainText('blabla'));

    $signedToken = $config->builder()
        ->issuedAt($now)
        ->expiresAt($now->modify('+1 hour'))
        ->getToken($config->signer(), $config->signingKey())
        ->toString();
    ?>

Should I not use expiresAt() and issuedAt() methods and set the iat and exp claims 'manually'?

Happy new year!
Jakob

[Slamdunk]

Hi, as discussed in #618 a dedicated PR is already on the way to provide integer only dates: #617

[jgivoni]

Ok, thanks a lot! Did I do something wrong by not finding that PR before asking here or is it just not that obvious? Furthermore, when can we expect the new version out?

[Ocramius]

Nothing wrong: just didn't search with the correct words, or didn't correlate the fact that a "date formatter" is being introduced with this issue you have.

when can we expect the new version out?

When it's ready :-)

[jgivoni]

You're right, I didn't do any searching, just browsed "Issues" and "Pull Requests (open)".

When it's ready :-)

ETA?

[lcobucci]

We don't have an ETA, there're a few things that we want to handle before releasing it.

You can follow the docs and create that component on your code and remove once v4.1 gets released: https://lcobucci-jwt.readthedocs.io/en/stable/extending-the-library/#claims-formatter

Alternatively, you can create your date objects without microseconds, which will work right away:

$now = new DateTimeImmutable('@' . time());

[jgivoni]

On Tue, 5 Jan 2021 at 17:44, Luís Cobucci ***@***.***> wrote: We don't have an ETA, there're a few things that we want to handle before releasing it. You can follow the docs and create that component on your code and remove once v4.1 gets released: https://lcobucci-jwt.readthedocs.io/en/stable/extending-the-library/#claims-formatter — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#623 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAHY3RGSHF3NGUQ3ZF5ERKLSYM6YDANCNFSM4VVB2J4A> .

Thank you for the advice, Luís.

[jgivoni]

This is now possible with v4.1 being release as of 2021-01-28.

I fixed it by using the new claims formatter in the builder, like this:

$config->builder(\Lcobucci\JWT\Encoding\ChainedFormatter::withUnixTimestampDates())

[lcobucci]

Just a small update here: encoding the time fractions as strings cause compatibility issues with other libraries.
That was fixed by the most recent patches (both on v4.0 and v4.1).