ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

JWT AuthScheme

book

Article ID: 186465

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

We've configured the JWT AuthScheme to protect to our resource server based on OIDC SPA implicit flow use case.

We verified our setup is working correctly.

In further testing, we found the issue below:

id token-->iat > current time, meaning the id token was generated in the *future*.

However, the JWT AuthScheme is not rejecting the id token but allows access.


Questions:

1.  How do we tell JWT AuthScheme to reject id tokens generated in the future?

2.  Also, can we tell JWT AuthScheme to enforce one-time use for id tokens? If yes, how?

Environment

Release : 12.8.03

Component : SITEMINDER -POLICY SERVER

Resolution

=============== .

JWT authentication supports below parameters: 

exp Specifies the time a JWT is set to expire ( getExpirationTime(); ) 
nbf Specifies the time the JWT is valid from  getNotBeforeTime();  
 
it doesn't support Iat flag. which gives you issued at time. 


1. How do we tell JWT AuthScheme to reject id tokens generated in the future? To avoid reuse of token. Customer needs to set expiry and notbefore to minimal set.
If they want to use iat flag, they can write store claims as persistent and use Session Variables for claim based authorization. They can write authorization policies for iat Field or any other JWT Field
Currently, this is not supported, as JWT auth scheme is stateless.  Reply for query 1 may suffice the requirement of one time use.