From 67570651165d0a8111cea819498a9ff892ef213f Mon Sep 17 00:00:00 2001
From: Eric Hildum <eric@apigee.corp-partner.google.com>
Date: Fri, 20 Oct 2017 09:56:07 -0700
Subject: [PATCH] Added claim for not before time (nbf) to coincide with issued
 at time. This ensures JWT will not be considered valid for times before it
 was issued. Failing to limit the validity in this manner is a potential
 security hole.

---
 .../java/com/apigee/callout/jwtsigned/JwtCreatorCallout.java     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jwt_signed/callout/src/main/java/com/apigee/callout/jwtsigned/JwtCreatorCallout.java b/jwt_signed/callout/src/main/java/com/apigee/callout/jwtsigned/JwtCreatorCallout.java
index 6607fce..d308ec5 100644
--- a/jwt_signed/callout/src/main/java/com/apigee/callout/jwtsigned/JwtCreatorCallout.java
+++ b/jwt_signed/callout/src/main/java/com/apigee/callout/jwtsigned/JwtCreatorCallout.java
@@ -431,6 +431,7 @@ public ExecutionResult execute(MessageContext msgCtxt, ExecutionContext exeCtxt)
             if (AUDIENCE != null) claims.setAudience(java.util.Arrays.asList(AUDIENCE));
             if (JTI != null) claims.setJWTID(JTI);
             claims.setIssueTime(now);
+            claims.setNotBeforeTime(now);
             Date expiry = getExpiryDate(now,msgCtxt);
             if (expiry != null) { claims.setExpirationTime(expiry); }