expired JWT response messages changed


We use the TjwtMiddleware with sparkle and xdata that validates the JWT:

Until a recent update the component returned simple messages such as:
"Invalid JWT"
"Token expired"

These have been changed to more complex messages:

JWT (claims: {"iat":1658408565,"nbf":1658408515,"exp":1658412165,"iss":"","sub":"{A418530E-819A-4393-9F9D-99ACBCB4A999}","typ":"Bearer","aud":"XXX","sid":1031,"scope":""}) rejected due to invalid claims.
Validation errors:
The JWT is no longer valid - the evaluation time [2022-08-23T12:44:02.299Z] is on or after the Expiration Time [exp=2022-07-21T14:02:45.000Z] claim value .

We relied on the response messages to determine whether tokens needed to be refreshed. The HTTP code 401 is not sufficient.

I can create a descending TJwtMiddleware (JWT Authentication) and create my own codes. But I do have to interpret the new complex message which can be changed in a new update. And therefore is unreliable.


  • Why is it changed?
  • What should be used to realiably determine why the JWT has been declined? Is there a code that should be used instead of the message?

Thank you.

Exactly to provide more detailed information about what happens to the JWT. There might be many reasons for failing, and now the error message is more specific about what happened.

The message is still the way to go. Note that a JWT is just a JSON encoded in Base64. You can check the expiration time before sending it to the server. This avoids having to parse the response, and avoids having to do roundtrips to the server just to find out the token is expired.

Maybe the response should be a JSON object, with fields such as ReasonCode and Message, so developers can decide how to best respond.

@Weetch_Russell that would be really helpful. I do want to return proper and clean messages to clients that connect with our backend.

This could be done in the same format as the result of EXDataHTTPException.

raise EXDataHTTPException.Create(404,'TokenExpired' ,'MESSAGE');

The problem is, that would again break the response content. The response has a format, anyway. One validation message in each line.

Hi @wlandgraf ,

We have made some changes on the server and now use our own descendant of TJwtMiddleware to create a response message.

When testing this with a Postman client we see the 401 response code with our own (custom) message 'JWT is no longer valid'

However when using a TXDataClient in Delphi we dont get the custom message. Instead we get 'Unauthorized' no matter what we try.

So far we tried catching the exception as E: Exception and as a EXDataOperationRequestException but both failed to produce the custom response.
Using the EXDataOperationRequestException we are able to get more info from the response Message (still not our custom text):
XData server request error.
Uri: http://xxx.xxx.xxx/yyy/yyyy/
Status code: 401

Any suggestion on how to get the custom message at the client?

Seems we might get our message from the E.info property of EXDataOperationRequestException

Correct, you can get it this way:

if (E.Info is TJPrimitive) and TJPrimitive(E.Info).IsString then
  Message := TJPrimitive(E.Info).AsString

Alternatively, since you now have full control over the response, you can return it as a JSON in the standard XData format:

  "error": {
    "code": "error code",
    "message": "error message"

Then the ErrorCode and ErrorMessage properties will be properly filled in EXDataOperationRequestException.

This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.