Client Secret Validation
21 views
Skip to first unread message
Prabhakaran Murugadoss
Nov 24, 2015, 4:42:04 AM11/24/15
to OADA Developers Group
Hi,
I need clarification about how to validate client secret's life span. The draft in the link https://tools.ietf.org/id/draft-ietf-oauth-jwt-bearer-12.txt says the normal JWT payload should contain "exp" claim.
But as per OADA in https://github.com/OADA/oada-docs/blob/master/functional-specs/OAuth2-and-Client-Discovery.md and https://github.com/OADA/oada-docs/blob/master/rest-specs/Authentication_and_Authorization.md#example-client-assertion github documentation there is no "exp" claim. So am bit confused whether to use "exp" in client secret payload
And how to define the "nbf" claim in payload?
Andrew Balmos
Nov 24, 2015, 9:23:29 AM11/24/15
to Prabhakaran Murugadoss, oada-dev
Prabhakaran,
Thank you for pointing out the mistake. I updated the example.
The OADA spec tries to not overrule RFCs but rather just clarify when
things are left open ended. In this case, because the RFC requires the
"exp" claim for client assertions, so does OADA.
The "nbf" (not before) claim is defined by the JWT spec
(https://tools.ietf.org/rfc/rfc7519.txt) section 4.1.5. It's value is
of the type "NumericDate" which is also defined in the JWT spec
(section 2). It is basically a unix timestamp. It takes the same form
as the "exp" claim.
Andrew
On Nov 24, 2015 4:42 AM, "Prabhakaran Murugadoss"
> --
> You received this message because you are subscribed to the Google Groups "OADA Developers Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to oada-dev+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Thank you for pointing out the mistake. I updated the example.
The OADA spec tries to not overrule RFCs but rather just clarify when
things are left open ended. In this case, because the RFC requires the
"exp" claim for client assertions, so does OADA.
The "nbf" (not before) claim is defined by the JWT spec
(https://tools.ietf.org/rfc/rfc7519.txt) section 4.1.5. It's value is
of the type "NumericDate" which is also defined in the JWT spec
(section 2). It is basically a unix timestamp. It takes the same form
as the "exp" claim.
Andrew
On Nov 24, 2015 4:42 AM, "Prabhakaran Murugadoss"
> You received this message because you are subscribed to the Google Groups "OADA Developers Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to oada-dev+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Prabhakaran Murugadoss
Nov 25, 2015, 8:25:35 AM11/25/15
to OADA Developers Group, m.prabh...@gmail.com
Thanks Balmos
Reply all
Reply to author
Forward
0 new messages