tuupola
commented
3 years ago You are correct. I was reading https://github.com/return/branca/issues/7 and though it should be mentioned in the spec.
Closed brycx closed 3 years ago
tuupola
commented
3 years ago You are correct. I was reading https://github.com/return/branca/issues/7 and though it should be mentioned in the spec.
I think it would make sense to specifically state, that the expiration check for a token using a
ttlshould happen after authenticating and decrypting. If it happens before, a user would never know if an expired token they received was tampered into expiring, or actually did expire.