I think nothing is wrong. The VerifyJWT policy will not verify a JWT that is expired.

The expiry_formatted value that you see is expressed in UCT. That may be the source of your misunderstanding. Maybe you are interpreting that as local time. I am guessing so, because when you said

This was executed 2018-04-17

..you didn't mention the time or the timezone.

I can see that the expiry time displayed was: 2018-04-16 22:17:19 +0000

RIGHT NOW, as I type this response, it is 2018-04-16 19:55:00 +000 . (you can find this here) In other words, your JWT is STILL not expired. It will expire in about 2 hours and 22 minutes.

If you are in the IST timezone, or anywhere that is "ahead" of UTC by 2.5 hours or so, then it may be 2018-04-17 locally, but the token is still not expired.

The key unknown in your post is "exactly what time was it on 2018-04-17?" and "what time zone is that time relative to?"

----

This might also help: If you scroll down on your Trace UI, there should be another variable "time_remaining_formatted". It will show you the time remaining in an HH:MM:SS format. Also there is another variable, "seconds_remaining". That will show you an integer number of seconds until the expiry of the JWT. These are set only if the JWT includes an exp claim .