nasajoey
commented
5 years ago @issmith1 I think we are good on this one, right? Can close?
Closed issmith1 closed 5 years ago
nasajoey
commented
5 years ago @issmith1 I think we are good on this one, right? Can close?
issmith1
commented
5 years ago Publication of the UAS Service Supplier Framework for Authentication and Authorization will lock down the status of the JWT claims.
'authorities' has been removed from token (Dec 13) But needs more work.
As per https://www.owasp.org/index.php/REST_Security_Cheat_Sheet, "Some claims have been standardised and should be present in JWT" eg, iss, aud, exp and nbf
As per Slack discussion Joey (UTM Chief Engineer) [Dec 13th at 11:14 AM] we need to remove expires_in from yaml. we need to remove authorities from token. there are probalby 2 or three other changes needed one way or the other.