JSON Web Tokens created by OpenIG do not seem to have built-in expiration?

This topic has 2 replies, 2 voices, and was last updated 7 years, 1 month ago by Karl Harbour.

  • Author
  • #6184
     Karl Harbour

    As far as I can tell, the JSON Web Tokens created by OpenIG do not have an expiration time, as per https://tools.ietf.org/html/rfc7519#page-9 section 4.1.4.

    Although the “exp” (Expiration Time) Claim is OPTIONAL, I think without it there is the possibility of a replay attack?

     Mark Craig

    When I add a line to log the decrypted JWT claims set, recompile OpenIG, and redeploy, it looks like the JWT claims set indeed contains only what has been included in the session.

    With the present implementation, you could use a ScriptableFilter to include and verify an “exp” claim.

    It would also help to have a feature request for OpenIG to manage “exp” out of the box. The issue tracker is at https://bugster.forgerock.org/jira/browse/OPENIG/.

     Karl Harbour

    I was thinking the same re: ScriptableFilter, however I am generally of the view that implementation of security features should be left to the experts – in other words, I think OpenIG should support this out of the box. So, feature request raised: https://bugster.forgerock.org/jira/browse/OPENIG-733

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?