From 8f69f4f9a9232523f18325cb65287a7f61f22614 Mon Sep 17 00:00:00 2001
From: Adam McCann <adam.mccann@videogamer.com>
Date: Thu, 31 Mar 2016 18:50:36 +0100
Subject: [PATCH] Access denied on token expiry (or value before nbf/not
 before) - issue #506

---
 src/AuthorizationValidators/BearerTokenValidator.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/AuthorizationValidators/BearerTokenValidator.php b/src/AuthorizationValidators/BearerTokenValidator.php
index 5dab2203..5a65ab0b 100644
--- a/src/AuthorizationValidators/BearerTokenValidator.php
+++ b/src/AuthorizationValidators/BearerTokenValidator.php
@@ -3,6 +3,7 @@
 namespace League\OAuth2\Server\AuthorizationValidators;
 
 use Lcobucci\JWT\Parser;
+use Lcobucci\JWT\ValidationData;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Exception\OAuthServerException;
@@ -47,6 +48,14 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
                 throw OAuthServerException::accessDenied('Access token could not be verified');
             }
 
+            // validate
+            $data = new ValidationData();
+            $data->setCurrentTime(time());
+
+            if ($token->validate($data) === false) {
+                throw OAuthServerException::accessDenied('Access token is invalid');
+            }
+
             // Check if token has been revoked
             if ($this->accessTokenRepository->isAccessTokenRevoked($token->getClaim('jti'))) {
                 throw OAuthServerException::accessDenied('Access token has been revoked');