-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal for CAMARA mandated minimum acceptable JWT token lifetime #208
Comments
If we are considering adding this restriction for the
|
ALL implementations will have some limitation on acceptable token lifetime. I am proposing that we make it explicit to the API consumer that tokens with a lifetime less that 300 seconds will be accepted by all authorisation servers. This would be new information for the API consumer. Your proposed text on |
Following up from today's meeting:
Let me have any further thoughts by end of the week, and I'll propose some text early next week |
Problem description
CAMARA mandate that clients be authenticated using
private_key_jwt
. The OIDC code specification mandates that the JWT includes anexp
claim. Whilst tokens that have expired must be rejected by the authorisation server, creating long lived tokens (to remove the risk of token expiration) itself leads to potential security risks.This is recognised by RFC 7523, which states:
However, neither RFC 7523 nor OIDC nor CAMARA give any guidance as to what is considered to be "unreasonably far in the future" , or what should be the minimum token lifetime that must be accepted by all authorisation servers. This could lead to a situation where client implementations generate tokens that are accepted by some authorisation servers, but rejected by others, purely because of the token lifetime.
Possible evolution
A minimum JWT token lifetime that must be accepted by all authorisation servers should be mandated by CAMARA. It is proposed that this minimum lifetime be 300 seconds, which is plenty of time for a token to be generated and then presented to the authorisation server. This requirement could be appended to the existing text on client authentication as follows:
Alternative solution
None offered
Additional context
None
The text was updated successfully, but these errors were encountered: