Jwt grant expired, but it still can use #3610
Description
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
Jwt grant expired, but it still can use
Reproducing the bug
1、create a trust relationship for a JWT issuer,and set expires_at after 30 seconds.
reqParam := make(map[string]interface{}) reqParam["allow_any_subject"] = true reqParam["expires_at"] = time.Now().Add(time.Second * 30).UTC() reqParam["issuer"] = issuer reqParam["jwk"] = map[string]interface{}{ "use": "sig", "kty": "RSA", "kid": kid, "alg": "RS256", "n": nBase64, "e": eBase64, } reqParam["scope"] = []string{"all"}
2、got assertion and use assertion exchange token
scope=all&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=xx
3、repeate setp 2
Relevant log output
No response
Relevant configuration
No response
Version
v2.1.2
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response