Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove "not before" claim "nbf" from JWT access token #1542

Closed
jbman opened this issue Aug 21, 2019 · 6 comments
Closed

Remove "not before" claim "nbf" from JWT access token #1542

jbman opened this issue Aug 21, 2019 · 6 comments
Labels
feat New feature or request. package/oauth2
Milestone
v1.11

Comments

@jbman
Copy link

jbman commented Aug 21, 2019
edited
Loading

A Hydra JWT access token contains the “not before” claim with the same value as “issued at”.
Example:
{
“exp”: 1565861736,
“iat”: 1565858136,
“nbf”: 1565858136,

}

This could lead to failing validations, if a resource server hasn’t the correct time set or has some seconds clock skew which but strict “not before” validation.
In addition, I think there is no point to set “nor before” to the “issued at” timestamp. This claim seems to be intended for use cases where a future date is given, so that a client can not use a token immediately (e.g. a subscription starts tomorrow and can not be used directly after token creation, see https://stackoverflow.com/questions/43291659/usage-of-nbf-in-json-web-tokens).

According to https://tools.ietf.org/html/rfc7519#section-4.1.5 the nbf claim is optional. Other implementations do not provide a “nbf” claim. Or they provide one which is set to value 0.

Proposal
Do not add a "nbf" claim by default.
To create tokens which are valid in the future, the nbf value should be controlled by client configuration or login application.
@aeneasr
Copy link
Member

aeneasr commented Aug 25, 2019

Thank you, I think we can have nbf optional as it really does not serve a lot of purpose.

@aeneasr aeneasr added feat New feature or request. package/oauth2 labels Aug 25, 2019
@aeneasr aeneasr added this to the v1.0.1 milestone Aug 25, 2019
@aeneasr aeneasr modified the milestones: v1.0.1, v1.0.2 Sep 18, 2019
@aeneasr aeneasr modified the milestones: v1.0.2, v1.1.0 Oct 2, 2019
@aeneasr aeneasr modified the milestones: v1.1.0, v1.3.0 Feb 3, 2020
@aeneasr aeneasr modified the milestones: v1.4.0, v1.5.0 Apr 23, 2020
@kanishkarj
Copy link

@aeneasr Has this been addressed yet?

@aeneasr
Copy link
Member

aeneasr commented Apr 25, 2020

No, the issue is still open. Contributions welcomed!

@aeneasr aeneasr modified the milestones: v1.5.0, v1.6.0 Jul 1, 2020
@aeneasr aeneasr modified the milestones: v1.6.0, v1.8.0 Aug 4, 2020
@anderslauri
Copy link
Contributor

anderslauri commented Mar 30, 2021
edited
Loading

No, the issue is still open. Contributions welcomed!

@aeneasr,
I would be keen on taking on this task, we're expericing issues due to clock skew issues and making nbf optional would save us some headache. I see @Benehiko is assigned this task, however, would it be in order if I were to provide a PR within the next few days?

Thank you.

@aeneasr
Copy link
Member

aeneasr commented Mar 31, 2021

Yes, sounds good! I will unassign @Benehiko

@anderslauri anderslauri mentioned this issue Mar 31, 2021
Merged
5 tasks
@dominik-lekse
Copy link

@anderslauri Thanks for taking this. We have a related issue which is fixed by your PR.

@aeneasr aeneasr closed this as completed in 666cd25 Apr 4, 2021
This was referenced Aug 1, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request. package/oauth2
Projects
None yet
Milestone
v1.11
Development

No branches or pull requests
6 participants
@jbman @aeneasr @dominik-lekse @anderslauri @Benehiko @kanishkarj