JWT AuthScheme
search cancel

JWT AuthScheme


Article ID: 186465


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER


We've configured the JWT AuthScheme to protect to our resource server based on OIDC SPA implicit flow use case.

We verified our setup is working correctly.

In further testing, we found the issue below:

id token-->iat > current time, meaning the id token was generated in the *future*.

However, the JWT AuthScheme is not rejecting the id token but allows access.


1.  How do we tell JWT AuthScheme to reject id tokens generated in the future?

2.  Also, can we tell JWT AuthScheme to enforce one-time use for id tokens? If yes, how?


Release : 12.8.03



=============== .

JWT authentication supports below parameters: 

exp Specifies the time a JWT is set to expire ( getExpirationTime(); ) 
nbf Specifies the time the JWT is valid from  getNotBeforeTime();  
it doesn't support Iat flag. which gives you issued at time. 

1. How do we tell JWT AuthScheme to reject id tokens generated in the future? To avoid reuse of token. Customer needs to set expiry and notbefore to minimal set.
If they want to use iat flag, they can write store claims as persistent and use Session Variables for claim based authorization. They can write authorization policies for iat Field or any other JWT Field
Currently, this is not supported, as JWT auth scheme is stateless.  Reply for query 1 may suffice the requirement of one time use.