Create mp.jwt.verify.token.age config property for issue #195

[teddyjtorres]

Signed-off-by: Teddy J. Torres teddyjtorres@hotmail.com
For issue #195

[sberyozkin]

@teddyjtorres re

Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.

This is fine, I see a similar line in the JWT spec itself; but I wonder, since the implementations already offer a similar leeway for the exp claim, would it be worth introducing an optional leeway property which would apply to both the exp and this age checks.

For ex, mp.jwt.verify.leeway - leeway which accounts for clock skew during the token expiry and age verification, default value is 60 secs something like that.

What do you think ?

[teddyjtorres]

Hi @sberyozkin. I was thinking along those lines too. I agree on adding mp.jwt.verify.leeway or mp.jwt.verify.clock.skew, whichever makes sense.

[sberyozkin]

@teddyjtorres Hi, mp.jwt.verify.clock.skew reads better I guess, and I suppose we won't need to TCK test this particular property

[teddyjtorres]

@sberyozkin Hi, I added the mp.jwt.verify.clock.skew property.

[sberyozkin]

@teddyjtorres Thanks for opening this PR; can you please add a TCK to it ?

I said I can do it but I've looked at the code, it should be a simple update:

• add this property to the resource loaded here, https://github.com/eclipse/microprofile-jwt-auth/blob/master/tck/src/test/java/org/eclipse/microprofile/jwt/tck/container/jaxrs/InvalidTokenTest.java#L66, lets say, make it 4 secs
• copy https://github.com/eclipse/microprofile-jwt-auth/blob/master/tck/src/test/java/org/eclipse/microprofile/jwt/tck/container/jaxrs/InvalidTokenTest.java#L83 to a new test, remove the invalid fields property in that new test and after generating a token add a sleep for 5 secs - this should also fail with 401.

That should be enough

Thanks

(P.S I won't make it to the today's call, apologies)

[sberyozkin]

Thanks @teddyjtorres