openid / fapi / issues / #695 - iat, nbf clause readability — Bitbucket

Issue #695 new

Dave Tonge created an issue 2024-05-15

14. to accommodate for clock offsets, shall accept JWTs with an iat or nbf time up to 10 seconds in the future, however should reject JWTs with an iat or nbf of 60 seconds or greater in the future.

[Rifaat] What should the AS do when iat/nbf is greater than 10 but less than 60?

Comments (3)

Dave Tonge reporter
the wording on this is difficult, what we meant to say (i think) is:

0 to 10 seconds in the future - accept and process
10 to 60 seconds - do what you want, no guidance from us
60+ seconds - should reject
- 2024-05-15T13:55:15+00:00
Dave Tonge reporter
how about:

to accommodate clock offsets, shall accept JWTs with an 'iat' or 'nbf' time up to 10 seconds in the future, may accept those with an 'iat' or 'nbf' time between 10 and 60 seconds in the future, but should reject those with an 'iat' or 'nbf' time 60 seconds or more in the future.

‌
- 2024-05-15T14:00:58+00:00
Dave Tonge reporter
https://bitbucket.org/openid/fapi/pull-requests/497
- 2024-05-15T14:06:28+00:00
Log in to comment

Assignee: Dave Tonge

Type: bug

Priority: major

Status: new

Component: FAPI2: Security Profile

Milestone: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!