JWT AuthScheme
Article ID: 186465
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
We've configured the JWT AuthScheme to protect to our resource server based on OIDC SPA implicit flow use case.
We verified our setup is working correctly.
In further testing, we found the issue below:
id token-->iat > current time, meaning the id token was generated in the *future*.
However, the JWT AuthScheme is not rejecting the id token but allows access.
Questions:
1. How do we tell JWT AuthScheme to reject id tokens generated in the future?
2. Also, can we tell JWT AuthScheme to enforce one-time use for id tokens? If yes, how?
Environment
Release : 12.8.03
Component : SITEMINDER -POLICY SERVER
Resolution
=============== .
exp Specifies the time a JWT is set to expire ( getExpirationTime(); )
nbf Specifies the time the JWT is valid from getNotBeforeTime();
JWT authentication supports below parameters:
exp Specifies the time a JWT is set to expire ( getExpirationTime(); )
nbf Specifies the time the JWT is valid from getNotBeforeTime();
it doesn't support Iat flag. which gives you issued at time.
1. How do we tell JWT AuthScheme to reject id tokens generated in the future? To avoid reuse of token. Customer needs to set expiry and notbefore to minimal set.
If they want to use iat flag, they can write store claims as persistent and use Session Variables for claim based authorization. They can write authorization policies for iat Field or any other JWT Field
https://techdocs.broadcom.com/
2. Also, can we tell JWT AuthScheme to enforce one-time use for id tokens? If yes, how?
2. Also, can we tell JWT AuthScheme to enforce one-time use for id tokens? If yes, how?
Currently, this is not supported, as JWT auth scheme is stateless. Reply for query 1 may suffice the requirement of one time use.
Feedback
Yes
No
Powered by
