I see that the cNonce used in a request is not checked for expiration.
What is checked is whether the credential request jwt iat (which is client-generated so not really trustable) is within the token expiration.
As I understand it, the token expiration for the access token expiration, and so instead of verifying the credential request jwt against the token expiration time, we should check it against the cNonce expiration time, to check if the cNonce used in the request hasn't expired yet.
I see that the cNonce used in a request is not checked for expiration.
What is checked is whether the credential request jwt
iat
(which is client-generated so not really trustable) is within the token expiration.As I understand it, the token expiration for the access token expiration, and so instead of verifying the credential request jwt against the token expiration time, we should check it against the cNonce expiration time, to check if the cNonce used in the request hasn't expired yet.
Is that correct?