Move nbf and exp verifications after signature verification. #53
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
It looks good. Could you check CI is failing? |
|
Looks like it was a mismatch between the version in |
|
LGTM |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
I would like to move the signature validation before the check of
expandnbfclaims.I have the following scenario, which I believe is quite common: I sign tokens with an expiration date, but I want my system to be able to refresh them (i.e. re-emit a new one with the data of the old one, but with a later expiration date) if the expiration date was near AND the token passed validation. Currently I can't, because an expiration error will be thrown before the actual validation.
To do that, we need the token to be validated first, and then its expiration checked. People that don't want to use expiration, can just opt-out and not put any
expflag, as usual. This should not change anything for the rest of the users, and allow a new interesting use case.Please tell me if there is an issue I did not think of.