One comment on slide 5 about the /time window/.
At the bottom, on the left, it is written: "Only valid for a limited
/time window/ relative to creation time".
While the creation time is defined by "iat", the /time window/ is
currently left at the discretion of each RS.
It would be preferable to mandate the inclusion in the JWT of the exp
(Expiration Time) Claim.
In this way, the /time window /would be defined by the AS using both the
"iat" and the "exp" claims.
This would have the following advantages:
* The client will know whether a token is still usable and is unlikely
to get a rejection of the token
because of an unknown time window defined by a RS.
* The RS is able to manage better the "jti" claim values, because it
will be able to discard "jti" claim values
as soon as they are outside the time window defined by the AS in a JWT.
Denis
All,
This is a reminder that we have an Interim meeting this Monday, Nov
30th @ 12:00pm ET, to discuss the latest with the *DPoP *document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
<https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/>
You can find the details of the meeting and the slides here:
https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth
<https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth>
Regards,
Rifaat & Hannes
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
