-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added claim for not before time (nbf) to coincide with issued at time. #10
base: master
Are you sure you want to change the base?
Conversation
This ensures JWT will not be considered valid for times before it was issued. Failing to limit the validity in this manner is a potential security hole.
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed, please reply here (e.g.
|
I signed the CLA |
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for the commit author(s). If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. |
Just to add a little background to this change. Per the JWT specifications, the iat claim is used to determine the age of the JWT, but does not affect validity processing in any manner per section 4.1.6 of RFC 7519. Implementations that treat the iat claim as a not before time are incorrect. JWTs are valid from the beginning of time till then end of time, regardless of the issue time, unless the JWT is constrained by exp and/or nbf claims. JWTs without exp claims are valid till then end of time, while those missing nbf claims are valid from the beginning of time. The fix here limits duration of the JWT claim to the time the claim was created till the exp claim date, if any. A better fix would be to add an option to set the not before time explicitly via a property (with a null/empty property value defaulting to the iat time and a missing property omitting the nbf claim entirely similar to the way exp is handled). |
CLAs look good, thanks! |
Fixed up author info, commit name should now be correct. |
This ensures JWT will not be considered valid for times before it was
issued. Failing to limit the validity in this manner is a potential
security hole.