Comments (3)
james-d-elliott
commented on June 1, 2024
Related: https://datatracker.ietf.org/doc/html/rfc7523#section-3
Note that the authorization server may reject JWTs
with an "exp" claim value that is unreasonably far in the
future.
from fosite.
vivshankar
commented on June 1, 2024
In our customized implementation of client authentication, which includes other stuff like tls_client_auth and the ability to choose between custom trust stores and jwks/jwks_uri, we introduced a new configurator interface for exactly the purpose that @james-d-elliott highlighted. We then check for a few things -
- iat unreasonably far in the past
- exp unreasonably far in the future
- (exp-iat) longer than a configured allowed lifetime value to prevent particularly long-lived JWTs and to enforce "freshness"
We happen to do this for all incoming JWTs, not just the client_assertion used for private_key_jwt. There are other practical things to consider adding like a clock skew setting.
from fosite.
mitar
commented on June 1, 2024
It seems I missed this. There is GrantTypeJWTBearerMaxDuration config which seems to control this and it defaults to 1 day.
from fosite.
Related Issues (20)
- Allow revoking access token without revoking refresh token HOT 2
- authorize_helper.isLoopbackAddress has flaws HOT 1
- clientCredentialsFromRequest should not expect Basic Authorization terms being URL Escaped HOT 2
- Refresh token flow handler does not set the original request ID in the handler early enough
- use mattn/go-sqlite3 v2.0.3+incompatible no the new version HOT 6
- Failed to decode `id_token_hint` when using different signer for `id_token` and others
- `iat` field in access token (JWT) issued as part of `refresh_token` grant. HOT 8
- Concurrent requests for token endpoint on auth-code flow with same code succeed. HOT 7
- Can not run the example code
- OIDC callback is always HTTPS, even when entered as HTTP HOT 1
- DefaultSigner should support key rotation
- Support per-client signing algorithm HOT 8
- Make prefix used in HMACSHAStrategy configurable
- openid session storage should be deleted when the authcode is exchanged HOT 9
- NewDefaultSession's SetSubject should set IDTokenClaims as well
- Consider upgrading to github.com/go-jose/go-jose/v4 HOT 1
- id_token_hint should not persist to storage HOT 2
- Unable to obtain expiration time of refresh tokens HOT 1
- Why does HMACStrategy.Generate uses a lock? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fosite.