Implement infrastructure to verify jti
claims
#3749
Labels
enhancement
New feature or request
Milestone
jti
claims
#3749
Feature Request
Related to the refactoring of how tokens are handled in EDC (#3743) we need a way to validate
jti
claims.jti
claims are supposed to be random strings with a good-as-zero possibility to be repeated within a reasonable amount of time.Thus, the recipient of a JWT must record every
jti
claim value until at least time specified by theexp
claim and reject an incoming JWT if it carries a "known"jti
.After that time,
jti
claims could theoretically be re-used because any prior token carrying the samejti
have already expired and wouldn't be valid anyway.Which Areas Would Be Affected?
identity services, token validation rules
Why Is the Feature Desired?
guarding against replay attacks
Solution Proposal
jti
claims: This could actually be a generic implementation, something like aTemporaryValueStorage
, which records arbitrary values plus the start and end of their validity periods.TemporaryValueStorage
to CRUDjti
valuesThe text was updated successfully, but these errors were encountered: