Menu
▾
▴
Re: [Resteasy-developers] JWT & JWS implementation on RESTEasy
|
From: Bruno O. <br...@ab...> - 2013-07-02 09:12:58
|
Just correcting myself into the previous e-mail. I was talking about JWS and iat is not necessary. iat and exp was already implemented into JsonWebToken class, sorry. Bruno Oliveira wrote: > Good morning everyone. > > I've been working to include security on AeroGear and make use of > RESTEasy, to be more specific I would like to include JWT/JWS support, > the API is pretty straightforward and I think is a good fit for mobile. > > Before move forward on AeroGear I'd like to suggest (implement if you > guys agree) the inclusion two new attributes: > > - iat: claim identifies the time at which the JWT was issued. This claim > can be used to determine the age of the JWT. Its value MUST be a number > containing an IntDate value > > - exp: claim identifies the expiration time on or after which the JWT > MUST NOT be accepted for processing. The processing of the exp claim > requires that the current date/time MUST be before the expiration > date/time listed in the exp claim. Implementers MAY provide for some > small leeway, usually no more than a few minutes, to account for clock > skew. Its value MUST be a number containing an IntDate value. > > This is important, because I wouldn't like to trust on SSL/TLS only. If > for some reason this layer is broken (wrong configuration, lack of > understanding from some developers) , would be nice to have an > additional layer of security (it won't solve all the problems, but might > help). > > What do you guys think? Makes sense? > -- abstractj |
