Expiration time in JwtGenerator

[Nebehr Gudahtt]

Is there any reason why expiration time is a property of JwtGenerator and not the profile token it generates? What is the suggested way then to implement JWT token expiration? Is it by resetting expiration time on JwtGenerator prior to every generate() call? Wouldn't it be not thread-safe then?

Wouldn't it be more logical to replace expiration time with expiration period (aka maxAge), so that every token generated by JwtGenerator had expiration time = issue time + expiration period?

[Jérôme LELEU]

Hi,

Expiration date is a regular property of the JWT. It is set when generating a JWT according to the general expiration date of the JwtGenerator and checked against the current date and an optional expiration date in the JwtAuthenticator.

Currently, we only have one expiration date in the JwtGenerator so you cannot change it for each JWT, it would not be thread safe. You can create several JwtGenerator for several expiration dates, but it's true that we could have a more convenient method accepting an expiration date.

Thanks.

Best regards,

Jérôme

Le lun. 28 janv. 2019 à 08:29, Nebehr Gudahtt <nebehr....@gmail.com> a écrit :

Is there any reason why expiration time is a property of JwtGenerator and not the profile token it generates? What is the suggested way then to implement JWT token expiration? Is it by resetting expiration time on JwtGenerator prior to every generate() call? Wouldn't it be not thread-safe then?

Wouldn't it be more logical to replace expiration time with expiration period (aka maxAge), so that every token generated by JwtGenerator had expiration time = issue time + expiration period?

--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.