We've configured the JWT AuthScheme to protect to our resource server based on OIDC SPA implicit flow use case.
We verified our setup is working correctly.
In further testing, we found the issue below:
id token-->iat > current time, meaning the id token was generated in the *future*.
However, the JWT AuthScheme is not rejecting the id token but allows access.
1. How do we tell JWT AuthScheme to reject id tokens generated in the future?
2. Also, can we tell JWT AuthScheme to enforce one-time use for id tokens? If yes, how?
Release : 12.8.03
Component : SITEMINDER -POLICY SERVER