Open Voileexperiments opened 1 week ago
After looking at the source code, the handling of ValidateIssuedTime
is incorrect, since it actually validates nbf
instead of iss
:
iss
and nbf
are completely different, and they can be set with different values (e.g if you're issuing a token that should only be usable at a later date).
Check this out: https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1
iss
and nbf
are completely different, indeed. The former stands for "issuer".
Are you confusing iss
and iat
?
I agree that the validation parameter's name is confusing (incorrect), issued -> something else. But what would be a better, yet readable, name?
Can you describe your scenario in which you need to validate the iat
claim? And how you'd like to validate it?
In AAD for example, both claims usually have the same value.
Sorry, I meant iat
when I said iss
above.
I agree that the validation parameter's name is confusing (incorrect), issued -> something else. But what would be a better, yet readable, name?
Can you describe your scenario in which you need to validate the
iat
claim?
I don't really need to validate iat
, but naming ValidateIssuedTime
for nbf
instead of something like ValidateNotBefore
is semantically incorrect from the JWT spec, since iat
and nbf
have well-defined meanings by RFC 7159:
The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.
The "iat" (issued at) claim identifies the time at which the JWT was issued.
A parameter named ValidateIssuedTime
should unambiguously be handling the "issued time" field, otherwise it is not doing what it tells it's supposed to do. Yes, iat
usually doesn't need to be validated, but then using ValidateIssuedTime
to validate nbf
is not correct either.
To be honest, I don't remember why or how I (or maybe it was an OSS contribution by someone else) came up with this name. Both properties mean "whether the token is valid", one being "already valid" and the other "still valid". I guess because the latter is Expiration, the opposite to it was minted as Issuance. Which you're right, is a different claim.
Long story short. Do you mind submitting a change to add a new property and mark the old one as [Obsolete]
?
For some reasons
ValidationParameters
hasValidateIssuedTime
andValidateExpirationTime
, but notValidateNotBeforeTime
. Additionally, there is no way to manually disable this anywhere.