+1 for Ishara's explanation. We also need to put this in docs clearly.
Cheers, Ruwan On Wed, Sep 5, 2018 at 9:04 AM Ishara Karunarathna <[email protected]> wrote: > Hi Omindu, > > Please find my thoughts on this. > > According to " OAuth 2.0 Token Introspection" specification [1] these > value should be based on original access token, And *exp, iat, nbf* > values should use the format, defined in the > "JSON Web Token (JWT)" specification [2]. > When we create a JWT out of this, yes there is a confusion. Because [2] > JWT spec define these value specific to the new JWT token that we create. > > Combining these two I interpret in this way. > 1. With the *exp, iat, nbf *in JWT spec define the time frame which this > JWT token is valid. > 2. All the date in this JWT token is only valid till the original access > token is valid. > 3. Then the validity of the JWT should be within the validity of original > access token. > > So I think. > *iat : *should be the new JWT issuing time. > *nbf* : JWT issuing time or original nbf, if this is a future value. > *exp* : should be calculated with original exp time. > > Thanks, > Ishara > > [1] https://tools.ietf.org/html/rfc7662#page-6 > [2] https://tools.ietf.org/html/rfc7519 > > On Wed, Sep 5, 2018 at 8:17 AM Omindu Rathnaweera <[email protected]> wrote: > >> Hi Team, >> >> During token introspection we can request the user information related to >> the access token in a form of a JWT. This JWT is sent under the parameter ' >> token_string'. >> >> Ex: >> >> { >> "token_string":"eyJ4NXQiO... (JWT)", >> "active":true, >> "token_type":"Bearer", >> "exp":1536076577, >> "iat":1536072977, >> "nbf":1536072977, >> "client_id":"5qqc07uvtnnouDYzxe63jLlnjOEa", >> "username":"[email protected]" >> } >> >> The exp (Expiration Time), iat (Issued At), nbf (Not Before) values in >> the above response is based on the original token issue time and this the >> expected outcome as per the specification [1]. >> >> >> However there's a confusion when it comes to setting these values in the >> JWT sent with 'token_string'. >> >> The current behavior is that 'iat' in the JWT is calculated based on the >> issued time of the introspecting access token but the 'exp' value is >> calculated based on the creation time of the JWT. >> >> I would like you know your opinion on what these values should based on. >> Should it be same as the access tokens iat, exp, and nbf or should they be >> based on the generation time the JWT it self ? >> >> [1] - https://tools.ietf.org/html/rfc7662#page-6 >> >> Thanks, >> Omindu >> -- >> Omindu Rathnaweera >> Senior Software Engineer, WSO2 Inc. >> > > > -- > Ishara Karunarathna > Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: [email protected], blog: isharaaruna.blogspot.com, mobile: > +94717996791 > > > -- *Ruwan Abeykoon* *Associate Director/Architect**,* *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * *lean.enterprise.middleware.*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
