Open eric-murray opened 1 day ago
If we are considering adding this restriction for the exp
claim, or warning that some implementations may have this restriction, it might be convenient to include a similar statement for the jti
claim according to RFC 7523:
The authorization server MAY ensure that JWTs are not replayed by maintaining the set of used "jti" values for the length of time for which the JWT would be considered valid based on the applicable "exp" instant.
some implementations may have this restriction
ALL implementations will have some limitation on acceptable token lifetime. I am proposing that we make it explicit to the API consumer that tokens with a lifetime less that 300 seconds will be accepted by all authorisation servers. This would be new information for the API consumer.
Your proposed text on jti
values is an implementation hint for authorisation servers, but adds no new information for API consumers. CAMARA should try to keep its specifications compact by only providing information that the API consumer needs to know. So I'd prefer not to include such hints.
Problem description CAMARA mandate that clients be authenticated using
private_key_jwt
. The OIDC code specification mandates that the JWT includes anexp
claim. Whilst tokens that have expired must be rejected by the authorisation server, creating long lived tokens (to remove the risk of token expiration) itself leads to potential security risks.This is recognised by RFC 7523, which states:
However, neither RFC 7523 nor OIDC nor CAMARA give any guidance as to what is considered to be "unreasonably far in the future" , or what should be the minimum token lifetime that must be accepted by all authorisation servers. This could lead to a situation where client implementations generate tokens that are accepted by some authorisation servers, but rejected by others, purely because of the token lifetime.
Possible evolution A minimum JWT token lifetime that must be accepted by all authorisation servers should be mandated by CAMARA. It is proposed that this minimum lifetime be 300 seconds, which is plenty of time for a token to be generated and then presented to the authorisation server. This requirement could be appended to the existing text on client authentication as follows:
Alternative solution None offered
Additional context None