On Wed, Sep 5, 2018 at 11:00 AM, Ruwan Abeykoon <[email protected]> wrote:
> +1 for Ishara's explanation. > > We also need to put this in docs clearly. > +1. Since 'token_string' is not a standard parameter in the introspection response we must document it clearly to avoid misinterpretations. > > Cheers, > Ruwan > > > On Wed, Sep 5, 2018 at 9:04 AM Ishara Karunarathna <[email protected]> > wrote: > >> Hi Omindu, >> >> Please find my thoughts on this. >> >> According to " OAuth 2.0 Token Introspection" specification [1] these >> value should be based on original access token, And *exp, iat, nbf* >> values should use the format, defined in the >> "JSON Web Token (JWT)" specification [2]. >> When we create a JWT out of this, yes there is a confusion. Because [2] >> JWT spec define these value specific to the new JWT token that we create. >> >> Combining these two I interpret in this way. >> 1. With the *exp, iat, nbf *in JWT spec define the time frame which >> this JWT token is valid. >> 2. All the date in this JWT token is only valid till the original access >> token is valid. >> 3. Then the validity of the JWT should be within the validity of original >> access token. >> >> So I think. >> *iat : *should be the new JWT issuing time. >> *nbf* : JWT issuing time or original nbf, if this is a future value. >> *exp* : should be calculated with original exp time. >> >> Thanks, >> Ishara >> >> [1] https://tools.ietf.org/html/rfc7662#page-6 >> [2] https://tools.ietf.org/html/rfc7519 >> >> On Wed, Sep 5, 2018 at 8:17 AM Omindu Rathnaweera <[email protected]> >> wrote: >> >>> Hi Team, >>> >>> During token introspection we can request the user information related >>> to the access token in a form of a JWT. This JWT is sent under the >>> parameter 'token_string'. >>> >>> Ex: >>> >>> { >>> "token_string":"eyJ4NXQiO... (JWT)", >>> "active":true, >>> "token_type":"Bearer", >>> "exp":1536076577, >>> "iat":1536072977, >>> "nbf":1536072977, >>> "client_id":"5qqc07uvtnnouDYzxe63jLlnjOEa", >>> "username":"[email protected]" >>> } >>> >>> The exp (Expiration Time), iat (Issued At), nbf (Not Before) values in >>> the above response is based on the original token issue time and this the >>> expected outcome as per the specification [1]. >>> >>> >>> However there's a confusion when it comes to setting these values in the >>> JWT sent with 'token_string'. >>> >>> The current behavior is that 'iat' in the JWT is calculated based on the >>> issued time of the introspecting access token but the 'exp' value is >>> calculated based on the creation time of the JWT. >>> >>> I would like you know your opinion on what these values should based on. >>> Should it be same as the access tokens iat, exp, and nbf or should they be >>> based on the generation time the JWT it self ? >>> >>> [1] - https://tools.ietf.org/html/rfc7662#page-6 >>> >>> Thanks, >>> Omindu >>> -- >>> Omindu Rathnaweera >>> Senior Software Engineer, WSO2 Inc. >>> >> >> >> -- >> Ishara Karunarathna >> Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >> +94717996791 >> >> >> > > -- > > *Ruwan Abeykoon* > *Associate Director/Architect**,* > *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * > *lean.enterprise.middleware.* > > -- Farasath Ahamed Senior Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
