Solved: Generate JWT :nbf param should be equal to iat

sonal_sheetal · 02-22-2019 03:43 AM

Hi,

I am using Generate JWT poolicy to generate jwt with some claims and I need 'nbf' parameter to be equal to 'iat'.I do not see 'iat' configuration in the policy .Hence, I assume it is done at the backend when the policy executes.

Can anyone help me to achieve this in apigee?

Thanks,

Sonal

dchiesa1

There is no way, currently, to set a "nbf" claim to be explicitly exactly equal to the "iat" claim. The iat time is always implicitly set as "now" by the policy execution.

If you would like to specify an nbf claim that is pretty close to the iat time, and maybe almost always equal, then you can try referring to "system.time" in the NotBefore element, like this:

<GenerateJWT name='gen-083'>
  <Algorithm>RS256</Algorithm>
  <PrivateKey>
    <Value ref="private.key"/>
    <Id>key-id-goes-here</Id>
  </PrivateKey>
  <Subject ref="jwt_subject" />
  <Issuer>issuer-goes-here</Issuer>
  <ExpiresIn>8h</ExpiresIn>
  <NotBefore ref='system.time'/>
  <OutputVariable>variable-name-here</OutputVariable>
</GenerateJWT>

The system.time variable holds "the current time", and so it will almost always be exactly the same value as is used to set iat. But, There are two distinct reads of that value, so it is possible they will differ by a few microseconds. If that delta falls within a particular window, it's possible for iat and nbf to differ by 1, due to rounding.

Today it is not possible, but I think it would be good if the policy were enhanced to allow people to specify a "relative" nbf claim. Relative to "right now". So maybe something like:

 <NotBefore relative='true'>0s</NotBefore>

...would give you "0 seconds relative to right now", whereas

<NotBefore relative='true'>1800s</NotBefore>

...would give you a JWT that will begin to be valid in 30 minutes.

View solution in original post

dchiesa1