mistermoe
commented
10 months ago cc: @jiyoontbd
Closed mistermoe closed 9 months ago
mistermoe
commented
10 months ago cc: @jiyoontbd
jiyoonie9
commented
10 months ago the todos here also mention adding nbf which is another timestamp. do we need this field in addition to jti (since that's essentially a timestamp as well)?
mistermoe
commented
10 months ago Good question @jiyoontbd! Can't think of a reason to include nbf. Down to leave it out if you are. Can't really see scenarios where people are generating and storing request tokens ahead of time that shouldn't be used until a specified time
currently, the request token used to authenticate requests like
GET /exchangesis a JWS that include:Header:
algkidPayload:
timestampI'm proposing that we shift to using JWTs instead.
the JWT should contain the following:
Header:
typ:JWT.typtoJWTas recommended by the JWT spec to provide a means to disambiguatekid: fully qualified verificationMethod ID. used to locate the verification method in a DID Document that should be used to verify the JWT signaturealg: cryptographic algorithm used to compute the JWT signaturePayload:
aud: the intended PFI's DIDaudclaim, we can limit the risk to just one PFI, thereby reducing the surface area for misuse.iss: the requester's DIDkidalso includes the requester's DIDexp: expiration timestampexplimits the duration of the attack vectoriat: when the JWT was createdjti: used as a nonce to prevent replay attacks.TODOs: PR to address this issue should: