Added claim for not before time (nbf) to coincide with issued at time.

This ensures JWT will not be considered valid for times before it was issued. Failing to limit the validity in this manner is a potential security hole.
apigee · Oct 20, 2017 · 5586f51 · 5586f51
1 parent ecdad26
commit 5586f51
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/jwt_signed/callout/src/main/java/com/apigee/callout/jwtsigned/JwtCreatorCallout.java b/jwt_signed/callout/src/main/java/com/apigee/callout/jwtsigned/JwtCreatorCallout.java
@@ -431,6 +431,7 @@ public ExecutionResult execute(MessageContext msgCtxt, ExecutionContext exeCtxt)
             if (AUDIENCE != null) claims.setAudience(java.util.Arrays.asList(AUDIENCE));
             if (JTI != null) claims.setJWTID(JTI);
             claims.setIssueTime(now);
+            claims.setNotBeforeTime(now);
             Date expiry = getExpiryDate(now,msgCtxt);
             if (expiry != null) { claims.setExpirationTime(expiry); }