+1 On Fri, Nov 8, 2019 at 10:16 AM Jonathan Gallimore < [email protected]> wrote:
> Hi All, > > At present TomEE will reject JWT tokens where the exp claim is a timestamp > that is in the past. We also reject tokens where there is no exp claim at > all. > > I propose adding a setting which will allow tokens without an exp claim to > be accepted (see https://tools.ietf.org/html/rfc7519#section-4.1.4 - using > exp is optional). > > The current behavior (not allowing a token without an exp claim) would be > the default, and the option to allow tokens without an exp would need to be > explicitly enabled. > > Are there any objections? > > Jon > -- Richard Monson-Haefel https://twitter.com/rmonson https://www.linkedin.com/in/monsonhaefel/
