[
https://issues.apache.org/jira/browse/CXF-4834?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13581236#comment-13581236
]
Sergey Beryozkin commented on CXF-4834:
---------------------------------------
OAuthClientUtils will set ClientAccessToken#issuedAt property to
"System.currentTimeMillis() / 1000" - this might lead to the client assuming
the actual lifetime is less few milliseconds compared to the actual one (due to
the time lost on the actual delivery of AT to the client) - but IMHO this is
not critical.
AccessTokenService was reporting temporarily "issued_at" parameter - it was
needed at some time to get a better MAC token signature calculation, but the
current MAC draft does not need it and it is no longer reported given that
"issued_at" is not a standard OAuth2 parameter but a custom CXF one - it
probably won't harm but by default it is not reported for well known token
types like Bearer.
I think what you can do is to override ServerAccessToken.getParameters() and
return issuedAt value, keyed by "issued_at" - will this work for you ?
> AccessTokenService not include issuedAt on ClientAccessToken
> ------------------------------------------------------------
>
> Key: CXF-4834
> URL: https://issues.apache.org/jira/browse/CXF-4834
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.3
> Reporter: David
> Priority: Minor
> Fix For: 2.7.3
>
>
> I'm currently using ClientAccessToken AccessTokenService and is not included
> issuedAt value is always -1. Could you include the value of serverToken
> issuedAt in ClientAccessToken?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
