-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove "not before" claim "nbf" from JWT access token #1542
Comments
Thank you, I think we can have nbf optional as it really does not serve a lot of purpose. |
@aeneasr Has this been addressed yet? |
No, the issue is still open. Contributions welcomed! |
@aeneasr, Thank you. |
Yes, sounds good! I will unassign @Benehiko |
@anderslauri Thanks for taking this. We have a related issue which is fixed by your PR. |
A Hydra JWT access token contains the “not before” claim with the same value as “issued at”.
Example:
{
“exp”: 1565861736,
“iat”: 1565858136,
“nbf”: 1565858136,
…
}
This could lead to failing validations, if a resource server hasn’t the correct time set or has some seconds clock skew which but strict “not before” validation.
In addition, I think there is no point to set “nor before” to the “issued at” timestamp. This claim seems to be intended for use cases where a future date is given, so that a client can not use a token immediately (e.g. a subscription starts tomorrow and can not be used directly after token creation, see https://stackoverflow.com/questions/43291659/usage-of-nbf-in-json-web-tokens).
According to https://tools.ietf.org/html/rfc7519#section-4.1.5 the nbf claim is optional. Other implementations do not provide a “nbf” claim. Or they provide one which is set to value 0.
Proposal
Do not add a "nbf" claim by default.
To create tokens which are valid in the future, the nbf value should be controlled by client configuration or login application.
The text was updated successfully, but these errors were encountered: