Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add options for claim-specific leeway #187

Merged
merged 1 commit into from
Feb 9, 2017
Merged

Add options for claim-specific leeway #187

merged 1 commit into from
Feb 9, 2017

Conversation

EmilioCristalli
Copy link
Contributor

This PR intends to fix #129 by adding one independent leeway option for each claim.

I tried to make it backwards compatible by keeping the "global" leeway option (which is overwritten by each claim-specific leeway if they are present).

Let me know what you think

@excpt excpt self-requested a review February 6, 2017 08:07
@excpt excpt added this to the Version 1.6.0 milestone Feb 6, 2017
@excpt
Copy link
Member

excpt commented Feb 9, 2017

Hey @EmilioCristalli

Thanks for the PR.

Can you drop the leeway for the iat claim, please?

https://tools.ietf.org/html/rfc7519#section-4.1.6

The RFC does not allow leeways for that claim.

Only the exp and nbf claims are allowed to have a leeway.

@EmilioCristalli
Copy link
Contributor Author

Hey @excpt , I was also thinking about that, and my two concerns are:

  1. Backwards compatibility: if we remove the leeway for iat we change a functionality people can be relying on, is it worth doing it for 2.0?
  2. iat validation: I might be misinterpreting the RFC, but it seems like it doesn't talk about validating iat, it's like its purpose is to determine the age of the token, so maybe that's why it doesn't talk about a leeway for this claim.

In my opinion, the iat validation is an extra feature provided by the gem, so I would either remove completely this validation, or keep it with a leeway, as the rest of time sensitive validations have a leeway.

excpt
excpt approved these changes Feb 9, 2017
View reviewed changes
Copy link
Member

@excpt excpt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After discussing the changes in the PR thread. I accept these changes. Thank you very much. :)

@excpt excpt merged commit 3c4ec13 into jwt:master Feb 9, 2017
@EmilioCristalli EmilioCristalli deleted the claim-specific-leeway branch February 9, 2017 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@excpt excpt excpt approved these changes

Assignees
No one assigned
Labels
bug enhancement review required WIP
Projects
None yet
Milestone
Version 2.0.0
Development

Successfully merging this pull request may close these issues.

The leeway parameter is applies to all time based verifications
2 participants
@EmilioCristalli @excpt