Hi Team,
During token introspection we can request the user information related to
the access token in a form of a JWT. This JWT is sent under the parameter '
token_string'.
Ex:
{
"token_string":"eyJ4NXQiO... (JWT)",
"active":true,
"token_type":"Bearer",
"exp":1536076577,
"iat":1536072977,
"nbf":1536072977,
"client_id":"5qqc07uvtnnouDYzxe63jLlnjOEa",
"username":"[email protected]"
}
The exp (Expiration Time), iat (Issued At), nbf (Not Before) values in the
above response is based on the original token issue time and this the
expected outcome as per the specification [1].
However there's a confusion when it comes to setting these values in the
JWT sent with 'token_string'.
The current behavior is that 'iat' in the JWT is calculated based on the
issued time of the introspecting access token but the 'exp' value is
calculated based on the creation time of the JWT.
I would like you know your opinion on what these values should based on.
Should it be same as the access tokens iat, exp, and nbf or should they be
based on the generation time the JWT it self ?
[1] - https://tools.ietf.org/html/rfc7662#page-6
Thanks,
Omindu
--
Omindu Rathnaweera
Senior Software Engineer, WSO2 Inc.
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
