Skip to content

Commit 09e2be7

Browse files
paulbastianpaulbastian
committed
remove exp from Client Attestation PoP JWT
1 parent 962e5d1 commit 09e2be7

File tree

1 file changed

+2
-3
lines changed

1 file changed

+2
-3
lines changed

draft-ietf-oauth-attestation-based-client-auth.md

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -222,9 +222,8 @@ The following content applies to the JWT Header:
222222
The following content applies to the JWT Claims Set:
223223

224224
* `iss`: REQUIRED. The `iss` (subject) claim MUST specify client_id value of the OAuth Client.
225-
* `exp`: REQUIRED. The `exp` (expiration time) claim MUST specify the time at which the Client Attestation PoP is considered expired. The authorization server MUST reject any JWT with an expiration time that has passed, subject to allowable clock skew between systems. Note that the authorization server may reject JWTs with an "exp" claim value that is unreasonably far in the future.
226225
* `aud`: REQUIRED. The `aud` (audience) claim MUST specify a value that identifies the authorization server as an intended audience. The {{RFC8414}} issuer identifier URL of the authorization server MUST be used as a value for an "aud" element to identify the authorization server as the intended audience of the JWT.
227-
* `jti`: REQUIRED. The `jti` (JWT identifier) claim MUST specify a unique identifier for the Client Attestation PoP. The authorization server MAY ensure that JWTs are not replayed by maintaining the set of used "jti" values for the length of time for which the JWT would be considered valid based on the applicable "exp" instant.
226+
* `jti`: REQUIRED. The `jti` (JWT identifier) claim MUST specify a unique identifier for the Client Attestation PoP. The authorization server MAY utilize the `jti` value for replay attack detection, see [](#security-consideration-replay).
228227
* `challenge`: OPTIONAL. The `challenge` (challenge) claim MUST specify a String value that is provided by the authorization server for the client to include in the Client Attestation PoP JWT.
229228
* `iat`: OPTIONAL. The `iat` (issued at) claim MUST specify the time at which the Client Attestation PoP was issued. Note that the authorization server may reject JWTs with an "iat" claim value that is unreasonably far in the past.
230229
* `nbf`: OPTIONAL. The `nbf` (not before) claim MUST specify the time before which the Client Attestation PoP MUST NOT be accepted for processing.
@@ -251,7 +250,6 @@ The following example is the decoded header and payload of a JWT meeting the pro
251250
"iss": "https://client.example.com",
252251
"aud": "https://as.example.com",
253252
"nbf":1300815780,
254-
"exp":1300819380,
255253
"jti": "d25d00ab-552b-46fc-ae19-98f440f25064",
256254
"challenge" : "5c1a9e10-29ff-4c2b-ae73-57c0957c09c4"
257255
}
@@ -594,6 +592,7 @@ This section requests registration of the following scheme in the "Hypertext Tra
594592
* rename nonce to challenge
595593
* rewrite security consideration on replay attacks
596594
* add implementation consideration on replay attacks
595+
* remove `exp` from Client Attestation PoP JWT
597596

598597
-05
599598

0 commit comments

Comments
 (0)