kumar303
commented
8 years ago Note that this only applies to API key based JWTs since each token is generated for a single request. In other words, the frontend session JWTs can be used repeatedly so nonce restrictions should not be enforced there.
API JWTs must send a
jti(ID/nonce), as documented, but currently the server is not using this to prevent replay attacks. Let's do it.Originally filed as https://bugzilla.mozilla.org/show_bug.cgi?id=1213354
┆Issue is synchronized with this Jira Task