Skip to content

Commit

Permalink
Added claim for not before time (nbf) to coincide with issued at time.
Browse files Browse the repository at this point in the history
This ensures JWT will not be considered valid for times before it was
issued. Failing to limit the validity in this manner is a potential
security hole.
  • Loading branch information
Eric2017a committed Oct 20, 2017
1 parent ecdad26 commit 6757065
Showing 1 changed file with 1 addition and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,7 @@ public ExecutionResult execute(MessageContext msgCtxt, ExecutionContext exeCtxt)
if (AUDIENCE != null) claims.setAudience(java.util.Arrays.asList(AUDIENCE));
if (JTI != null) claims.setJWTID(JTI);
claims.setIssueTime(now);
claims.setNotBeforeTime(now);
Date expiry = getExpiryDate(now,msgCtxt);
if (expiry != null) { claims.setExpirationTime(expiry); }

Expand Down

0 comments on commit 6757065

Please sign in to comment.