Allowing tokens without an exp claim

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Allowing tokens without an exp claim

jgallimore
Hi All,

At present TomEE will reject JWT tokens where the exp claim is a timestamp
that is in the past. We also reject tokens where there is no exp claim at
all.

I propose adding a setting which will allow tokens without an exp claim to
be accepted (see https://tools.ietf.org/html/rfc7519#section-4.1.4 - using
exp is optional).

The current behavior (not allowing a token without an exp claim) would be
the default, and the option to allow tokens without an exp would need to be
explicitly enabled.

Are there any objections?

Jon
Reply | Threaded
Open this post in threaded view
|

Re: Allowing tokens without an exp claim

Cesar Hernandez
Hi,

+1 to the proposed setting since it ensures backward compatibility.

El vie., 8 nov. 2019 a las 10:16, Jonathan Gallimore (<
[hidden email]>) escribió:

> Hi All,
>
> At present TomEE will reject JWT tokens where the exp claim is a timestamp
> that is in the past. We also reject tokens where there is no exp claim at
> all.
>
> I propose adding a setting which will allow tokens without an exp claim to
> be accepted (see https://tools.ietf.org/html/rfc7519#section-4.1.4 - using
> exp is optional).
>
> The current behavior (not allowing a token without an exp claim) would be
> the default, and the option to allow tokens without an exp would need to be
> explicitly enabled.
>
> Are there any objections?
>
> Jon
>


--
Atentamente:
César Hernández.
Reply | Threaded
Open this post in threaded view
|

Re: Allowing tokens without an exp claim

Richard Monson-Haefel
In reply to this post by jgallimore
+1

On Fri, Nov 8, 2019 at 10:16 AM Jonathan Gallimore <
[hidden email]> wrote:

> Hi All,
>
> At present TomEE will reject JWT tokens where the exp claim is a timestamp
> that is in the past. We also reject tokens where there is no exp claim at
> all.
>
> I propose adding a setting which will allow tokens without an exp claim to
> be accepted (see https://tools.ietf.org/html/rfc7519#section-4.1.4 - using
> exp is optional).
>
> The current behavior (not allowing a token without an exp claim) would be
> the default, and the option to allow tokens without an exp would need to be
> explicitly enabled.
>
> Are there any objections?
>
> Jon
>


--
Richard Monson-Haefel
https://twitter.com/rmonson
https://www.linkedin.com/in/monsonhaefel/
Reply | Threaded
Open this post in threaded view
|

Re: Allowing tokens without an exp claim

jgallimore
Thanks for the feedback everyone. Here's a PR for review:
https://github.com/apache/tomee/pull/604

Jon

On Fri, Nov 8, 2019 at 5:19 PM Richard Monson-Haefel <[hidden email]>
wrote:

> +1
>
> On Fri, Nov 8, 2019 at 10:16 AM Jonathan Gallimore <
> [hidden email]> wrote:
>
> > Hi All,
> >
> > At present TomEE will reject JWT tokens where the exp claim is a
> timestamp
> > that is in the past. We also reject tokens where there is no exp claim at
> > all.
> >
> > I propose adding a setting which will allow tokens without an exp claim
> to
> > be accepted (see https://tools.ietf.org/html/rfc7519#section-4.1.4 -
> using
> > exp is optional).
> >
> > The current behavior (not allowing a token without an exp claim) would be
> > the default, and the option to allow tokens without an exp would need to
> be
> > explicitly enabled.
> >
> > Are there any objections?
> >
> > Jon
> >
>
>
> --
> Richard Monson-Haefel
> https://twitter.com/rmonson
> https://www.linkedin.com/in/monsonhaefel/
>
Reply | Threaded
Open this post in threaded view
|

Re: Allowing tokens without an exp claim

Jean-Louis MONTEIRO
Sounds reasonable to me
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Mon, Nov 11, 2019 at 3:25 PM Jonathan Gallimore <
[hidden email]> wrote:

> Thanks for the feedback everyone. Here's a PR for review:
> https://github.com/apache/tomee/pull/604
>
> Jon
>
> On Fri, Nov 8, 2019 at 5:19 PM Richard Monson-Haefel <
> [hidden email]>
> wrote:
>
> > +1
> >
> > On Fri, Nov 8, 2019 at 10:16 AM Jonathan Gallimore <
> > [hidden email]> wrote:
> >
> > > Hi All,
> > >
> > > At present TomEE will reject JWT tokens where the exp claim is a
> > timestamp
> > > that is in the past. We also reject tokens where there is no exp claim
> at
> > > all.
> > >
> > > I propose adding a setting which will allow tokens without an exp claim
> > to
> > > be accepted (see https://tools.ietf.org/html/rfc7519#section-4.1.4 -
> > using
> > > exp is optional).
> > >
> > > The current behavior (not allowing a token without an exp claim) would
> be
> > > the default, and the option to allow tokens without an exp would need
> to
> > be
> > > explicitly enabled.
> > >
> > > Are there any objections?
> > >
> > > Jon
> > >
> >
> >
> > --
> > Richard Monson-Haefel
> > https://twitter.com/rmonson
> > https://www.linkedin.com/in/monsonhaefel/
> >
>
   --
    Jean-Louis Monteiro
    http://twitter.com/jlouismonteiro
    http://www.tomitribe.com
Reply | Threaded
Open this post in threaded view
|

Re: Allowing tokens without an exp claim

ivanjunckes
+1

On Mon, Nov 11, 2019 at 4:10 PM Jean-Louis Monteiro <
[hidden email]> wrote:

> Sounds reasonable to me
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Mon, Nov 11, 2019 at 3:25 PM Jonathan Gallimore <
> [hidden email]> wrote:
>
> > Thanks for the feedback everyone. Here's a PR for review:
> > https://github.com/apache/tomee/pull/604
> >
> > Jon
> >
> > On Fri, Nov 8, 2019 at 5:19 PM Richard Monson-Haefel <
> > [hidden email]>
> > wrote:
> >
> > > +1
> > >
> > > On Fri, Nov 8, 2019 at 10:16 AM Jonathan Gallimore <
> > > [hidden email]> wrote:
> > >
> > > > Hi All,
> > > >
> > > > At present TomEE will reject JWT tokens where the exp claim is a
> > > timestamp
> > > > that is in the past. We also reject tokens where there is no exp
> claim
> > at
> > > > all.
> > > >
> > > > I propose adding a setting which will allow tokens without an exp
> claim
> > > to
> > > > be accepted (see https://tools.ietf.org/html/rfc7519#section-4.1.4 -
> > > using
> > > > exp is optional).
> > > >
> > > > The current behavior (not allowing a token without an exp claim)
> would
> > be
> > > > the default, and the option to allow tokens without an exp would need
> > to
> > > be
> > > > explicitly enabled.
> > > >
> > > > Are there any objections?
> > > >
> > > > Jon
> > > >
> > >
> > >
> > > --
> > > Richard Monson-Haefel
> > > https://twitter.com/rmonson
> > > https://www.linkedin.com/in/monsonhaefel/
> > >
> >
>