-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create mp.jwt.verify.token.age config property for issue #195 #284
Conversation
### `mp.jwt.verify.token.age` | ||
|
||
The `mp.jwt.verify.token.age` config property allows for the number of seconds since `iat` to be specified. A MicroProfile JWT implementation must verify the `iat` claim of incoming JWTs is present and the configured value of `mp.jwt.verify.token.age` since `iat` has not elapsed. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.
This is fine, I see a similar line in the JWT spec itself; but I wonder, since the implementations already offer a similar leeway for the exp
claim, would it be worth introducing an optional leeway property which would apply to both the exp and this age checks.
For ex, mp.jwt.verify.leeway - leeway which accounts for clock skew during the token expiry and age verification, default value is 60 secs
something like that.
What do you think ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @sberyozkin. I was thinking along those lines too. I agree on adding mp.jwt.verify.leeway
or mp.jwt.verify.clock.skew
, whichever makes sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@teddyjtorres Hi, mp.jwt.verify.clock.skew
reads better I guess, and I suppose we won't need to TCK test this particular property
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sberyozkin Hi, I added the mp.jwt.verify.clock.skew property.
@teddyjtorres Thanks for opening this PR; can you please add a TCK to it ? I said I can do it but I've looked at the code, it should be a simple update:
That should be enough Thanks (P.S I won't make it to the today's call, apologies) |
Signed-off-by: Teddy J. Torres <teddyjtorres@hotmail.com>
01279e5
to
ed58fb0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @teddyjtorres
Signed-off-by: Teddy J. Torres teddyjtorres@hotmail.com
For issue #195