Access Token expiry is not checked in BearerTokenValidator

[raziel057]

It's strange to me that when using server to server Auth based on client_id / client_secret, the Access token is generated with an expiry datetime persisted in DB and present in the Token but not validated by the server.

In BearerTokenValidator::validateAuthorization only revokation is validated:

// Check if token has been revoked
if ($this->accessTokenRepository->isAccessTokenRevoked($claims->get('jti'))) {
    throw OAuthServerException::accessDenied('Access token has been revoked');
}

Is it expected?

[teknolojisirketi]

You can use validator for check both expired or revoked

[raziel057]

My question was more is it expected to not do it by default for security reasons?

[raziel057]

Well in fact I dug a bit and can see the expiration time in the claims of JWT is checked with this code:

$constraints = $this->jwtConfiguration->validationConstraints();
$this->jwtConfiguration->validator()->assert($token, ...$constraints);

But the expiry that can be stored in DB is not. But I think the most important one is the one in the Token.