This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How can I compute the iat and exp date for inclusion into a JWT token?

Posted on 07-27-2022 04:49 AM
praviningawale
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

I want to build a payload for JWT token which uses iat and exp in header. I understand this date is in seconds. How can I get this date in apigee.

Can I used system.timestamp and divide by 1000 ?

Solved Solved
0 2 3,436
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Can I used system.timestamp and divide by 1000 (to get a time value in seconds)

yes, you can.

I want to build a payload for JWT token which uses iat and exp in header.

ok I've got a couple comments for you.

  • iat and exp are defined by IETF RFC 7519 to be claims in the JWT payload, not claims in the JWT header. It doesn't make sense to reproduce them in a header when they already exist and are defined by the IETF standard with a specific meaning, in the JWT payload. Be careful if you go counter to this recommendation. It will present a confusing situation for other apps or people who build stuff to interoperate with your token.
  • the GenerateJWT policy that is builtin to Apigee will set the iat time implicitly in the JWT that it generates. You don't need to do anything to make that happen. And the policy will set the exp claim according to what you specify for expiry (like 10s for 10 seconds, 8m for 8 minutes, and so on)

My advice is (a) to be thoughtful about re-purposing payload claims and moving them to the header with the same or similar meaning. It will lead to confusion and probably maintenance problems down the road. and (b) consider using the GenerateJWT policy to do the right thing for iat and exp. 

example policy to generate a JWT with an iat and exp claim: 

<GenerateJWT name='gjwt-1'>
  <Algorithm>RS256</Algorithm>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PrivateKey>
    <Value ref="private.key"/>
    <Id ref='private-key-id'/>
  </PrivateKey>
  <Subject ref="jwt_subject" />
  <ExpiresIn>1h</ExpiresIn> <!-- expires in 1 hour -->
</GenerateJWT>

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Can I used system.timestamp and divide by 1000 (to get a time value in seconds)

yes, you can.

I want to build a payload for JWT token which uses iat and exp in header.

ok I've got a couple comments for you.

  • iat and exp are defined by IETF RFC 7519 to be claims in the JWT payload, not claims in the JWT header. It doesn't make sense to reproduce them in a header when they already exist and are defined by the IETF standard with a specific meaning, in the JWT payload. Be careful if you go counter to this recommendation. It will present a confusing situation for other apps or people who build stuff to interoperate with your token.
  • the GenerateJWT policy that is builtin to Apigee will set the iat time implicitly in the JWT that it generates. You don't need to do anything to make that happen. And the policy will set the exp claim according to what you specify for expiry (like 10s for 10 seconds, 8m for 8 minutes, and so on)

My advice is (a) to be thoughtful about re-purposing payload claims and moving them to the header with the same or similar meaning. It will lead to confusion and probably maintenance problems down the road. and (b) consider using the GenerateJWT policy to do the right thing for iat and exp. 

example policy to generate a JWT with an iat and exp claim: 

<GenerateJWT name='gjwt-1'>
  <Algorithm>RS256</Algorithm>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PrivateKey>
    <Value ref="private.key"/>
    <Id ref='private-key-id'/>
  </PrivateKey>
  <Subject ref="jwt_subject" />
  <ExpiresIn>1h</ExpiresIn> <!-- expires in 1 hour -->
</GenerateJWT>
Jump to Solution

Posted on --/--/---- --:-- AM
praviningawale
Silver 1
Silver 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

My bad.. I want to use it in payload only. Header will be as per standard.

Jump to Solution
0 Likes