Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added claim for not before time (nbf) to coincide with issued at time. #10

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Eric2017a
Copy link

This ensures JWT will not be considered valid for times before it was
issued. Failing to limit the validity in this manner is a potential
security hole.

This ensures JWT will not be considered valid for times before it was
issued. Failing to limit the validity in this manner is a potential
security hole.
@googlebot
Copy link

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.


  • If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
  • If your company signed a CLA, they designated a Point of Contact who decides which employees are authorized to participate. You may need to contact the Point of Contact for your company and ask to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the project maintainer to go/cla#troubleshoot.
  • In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again.

@Eric2017a
Copy link
Author

I signed the CLA

@googlebot
Copy link

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for the commit author(s). If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again.

@Eric2017a
Copy link
Author

Just to add a little background to this change. Per the JWT specifications, the iat claim is used to determine the age of the JWT, but does not affect validity processing in any manner per section 4.1.6 of RFC 7519. Implementations that treat the iat claim as a not before time are incorrect. JWTs are valid from the beginning of time till then end of time, regardless of the issue time, unless the JWT is constrained by exp and/or nbf claims. JWTs without exp claims are valid till then end of time, while those missing nbf claims are valid from the beginning of time.

The fix here limits duration of the JWT claim to the time the claim was created till the exp claim date, if any. A better fix would be to add an option to set the not before time explicitly via a property (with a null/empty property value defaulting to the iat time and a missing property omitting the nbf claim entirely similar to the way exp is handled).

@googlebot
Copy link

CLAs look good, thanks!

@Eric2017a
Copy link
Author

Fixed up author info, commit name should now be correct.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants