Expiration check succeeds on expired tokens - 'exp' looked for in body, not in header

Some servers (e.g. AWS Application Load Balancer) create JWT with .exp field inside the header of JWT, not in the body. NJWT looks for exp only in the body. Thus tokens that are clearly expired still pass the verification process. The isExpired function should probably look for .exp in both header and the body and succeed only if .exp is not there in both. 