Hi Omindu, Please find my thoughts on this.
According to " OAuth 2.0 Token Introspection" specification [1] these value should be based on original access token, And *exp, iat, nbf* values should use the format, defined in the "JSON Web Token (JWT)" specification [2]. When we create a JWT out of this, yes there is a confusion. Because [2] JWT spec define these value specific to the new JWT token that we create. Combining these two I interpret in this way. 1. With the *exp, iat, nbf *in JWT spec define the time frame which this JWT token is valid. 2. All the date in this JWT token is only valid till the original access token is valid. 3. Then the validity of the JWT should be within the validity of original access token. So I think. *iat : *should be the new JWT issuing time. *nbf* : JWT issuing time or original nbf, if this is a future value. *exp* : should be calculated with original exp time. Thanks, Ishara [1] https://tools.ietf.org/html/rfc7662#page-6 [2] https://tools.ietf.org/html/rfc7519 On Wed, Sep 5, 2018 at 8:17 AM Omindu Rathnaweera <omi...@wso2.com> wrote: > Hi Team, > > During token introspection we can request the user information related to > the access token in a form of a JWT. This JWT is sent under the parameter ' > token_string'. > > Ex: > > { > "token_string":"eyJ4NXQiO... (JWT)", > "active":true, > "token_type":"Bearer", > "exp":1536076577, > "iat":1536072977, > "nbf":1536072977, > "client_id":"5qqc07uvtnnouDYzxe63jLlnjOEa", > "username":"admin@carbon.super" > } > > The exp (Expiration Time), iat (Issued At), nbf (Not Before) values in the > above response is based on the original token issue time and this the > expected outcome as per the specification [1]. > > > However there's a confusion when it comes to setting these values in the > JWT sent with 'token_string'. > > The current behavior is that 'iat' in the JWT is calculated based on the > issued time of the introspecting access token but the 'exp' value is > calculated based on the creation time of the JWT. > > I would like you know your opinion on what these values should based on. > Should it be same as the access tokens iat, exp, and nbf or should they be > based on the generation time the JWT it self ? > > [1] - https://tools.ietf.org/html/rfc7662#page-6 > > Thanks, > Omindu > -- > Omindu Rathnaweera > Senior Software Engineer, WSO2 Inc. > -- Ishara Karunarathna Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
