ExpiredJwtException logs wrong date

[mbeattie]

The ExpiredJwtException uses a SimpleDateFormatter in the ISO8601 format but doesn't set the timezone to UTC so the string it returns ends with a "Z" indicating it's UTC but the time is parsed in localtime.

The comparisons seem to be correct, just the message is not.

[azagniotov]

+1

I experienced a similar issue today:

2018-03-12 16:24:47,997 ERROR [xxxxxxx] ..... Error details: JWT must not be accepted before 2018-03-12T16:25:19Z. Current time: 2018-03-12T16:24:47Z, a difference of 1003 milliseconds.  Allowed clock skew: 30000 milliseconds.

There are 32000 milliseconds difference between the two dates in the log, but the log message shows a difference of 1003...

Probably has to do with the following code in DefaultJwtParser:

 Date exp = claims.getExpiration();
            if (exp != null) {

                long maxTime = nowTime - this.allowedClockSkewMillis;
                Date max = allowSkew ? new Date(maxTime) : now;
                if (max.after(exp)) {
                    sdf = new SimpleDateFormat(ISO_8601_FORMAT);
                    String expVal = sdf.format(exp);
                    String nowVal = sdf.format(now);

                    long differenceMillis = maxTime - exp.getTime();

                    String msg = "JWT expired at " + expVal + ". Current time: " + nowVal + ", a difference of " +
                        differenceMillis + " milliseconds.  Allowed clock skew: " +
                        this.allowedClockSkewMillis + " milliseconds.";
                    throw new ExpiredJwtException(header, claims, msg);
                }
            }

@lhazlewood in general: is there any plans to move away from using java.util.Date in favor of classes from java.time.*?

[azagniotov]

I see there is another issue raised regarding the same question: #286

[lhazlewood]

This has been fixed and released in 0.10.0.