Sounds reasonable to me -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com
On Mon, Nov 11, 2019 at 3:25 PM Jonathan Gallimore < [email protected]> wrote: > Thanks for the feedback everyone. Here's a PR for review: > https://github.com/apache/tomee/pull/604 > > Jon > > On Fri, Nov 8, 2019 at 5:19 PM Richard Monson-Haefel < > [email protected]> > wrote: > > > +1 > > > > On Fri, Nov 8, 2019 at 10:16 AM Jonathan Gallimore < > > [email protected]> wrote: > > > > > Hi All, > > > > > > At present TomEE will reject JWT tokens where the exp claim is a > > timestamp > > > that is in the past. We also reject tokens where there is no exp claim > at > > > all. > > > > > > I propose adding a setting which will allow tokens without an exp claim > > to > > > be accepted (see https://tools.ietf.org/html/rfc7519#section-4.1.4 - > > using > > > exp is optional). > > > > > > The current behavior (not allowing a token without an exp claim) would > be > > > the default, and the option to allow tokens without an exp would need > to > > be > > > explicitly enabled. > > > > > > Are there any objections? > > > > > > Jon > > > > > > > > > -- > > Richard Monson-Haefel > > https://twitter.com/rmonson > > https://www.linkedin.com/in/monsonhaefel/ > > >
