Thanks for the feedback everyone. Here's a PR for review: https://github.com/apache/tomee/pull/604
Jon On Fri, Nov 8, 2019 at 5:19 PM Richard Monson-Haefel <monsonhae...@gmail.com> wrote: > +1 > > On Fri, Nov 8, 2019 at 10:16 AM Jonathan Gallimore < > jonathan.gallim...@gmail.com> wrote: > > > Hi All, > > > > At present TomEE will reject JWT tokens where the exp claim is a > timestamp > > that is in the past. We also reject tokens where there is no exp claim at > > all. > > > > I propose adding a setting which will allow tokens without an exp claim > to > > be accepted (see https://tools.ietf.org/html/rfc7519#section-4.1.4 - > using > > exp is optional). > > > > The current behavior (not allowing a token without an exp claim) would be > > the default, and the option to allow tokens without an exp would need to > be > > explicitly enabled. > > > > Are there any objections? > > > > Jon > > > > > -- > Richard Monson-Haefel > https://twitter.com/rmonson > https://www.linkedin.com/in/monsonhaefel/ >