Hello,
I have an API with JWT set as authentication mode and a shared secret. I have created a HMAC-enabled Policy. Like some others, I ran into the “expired key” error after one hour but I have found the solution in the community. Now, it is working.
I still meet an issue : when I provide an expired JWT (with “exp” claim), I get a “403 Forbidden” status with the message “error”: “Key not authorized”.
The standard status code for this error should be “401 Unauthorized”. Is there any way to fix it ?
Thank you
References :
https://tools.ietf.org/html/rfc6750#section-3
(page 8)
And in response to a protected resource request with an
authentication attempt using an expired access token:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="example",
error="invalid_token",
error_description="The access token expired"