+1 On Mon, Nov 11, 2019 at 4:10 PM Jean-Louis Monteiro < [email protected]> wrote:
> Sounds reasonable to me > -- > Jean-Louis Monteiro > http://twitter.com/jlouismonteiro > http://www.tomitribe.com > > > On Mon, Nov 11, 2019 at 3:25 PM Jonathan Gallimore < > [email protected]> wrote: > > > Thanks for the feedback everyone. Here's a PR for review: > > https://github.com/apache/tomee/pull/604 > > > > Jon > > > > On Fri, Nov 8, 2019 at 5:19 PM Richard Monson-Haefel < > > [email protected]> > > wrote: > > > > > +1 > > > > > > On Fri, Nov 8, 2019 at 10:16 AM Jonathan Gallimore < > > > [email protected]> wrote: > > > > > > > Hi All, > > > > > > > > At present TomEE will reject JWT tokens where the exp claim is a > > > timestamp > > > > that is in the past. We also reject tokens where there is no exp > claim > > at > > > > all. > > > > > > > > I propose adding a setting which will allow tokens without an exp > claim > > > to > > > > be accepted (see https://tools.ietf.org/html/rfc7519#section-4.1.4 - > > > using > > > > exp is optional). > > > > > > > > The current behavior (not allowing a token without an exp claim) > would > > be > > > > the default, and the option to allow tokens without an exp would need > > to > > > be > > > > explicitly enabled. > > > > > > > > Are there any objections? > > > > > > > > Jon > > > > > > > > > > > > > -- > > > Richard Monson-Haefel > > > https://twitter.com/rmonson > > > https://www.linkedin.com/in/monsonhaefel/ > > > > > >
