Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expiry field is required but may be set to null #169

Open
andrewzhurov opened this issue Sep 7, 2023 · 2 comments
Open

Expiry field is required but may be set to null #169

andrewzhurov opened this issue Sep 7, 2023 · 2 comments

Comments

@andrewzhurov
Copy link

According to the spec, Expiry field is required but may be set to null to convey "never expires".
Are there reasons to have the field set to null vs having it absent (optional)?

There are several reasons to prefer having it optional:

  1. Adheres to the JWT spec
  2. Makes for a uniform way of conveying absence, as it is for nbf & other fields.
  3. Makes for a more sound absence semantic, this great talk gives a fine mindset for it
@Gozala
Copy link
Contributor

Gozala commented Sep 26, 2023

Are there reasons to have the field set to null vs having it absent (optional)?

Intention had been to have an explicit signal and catch malformed UCANs that accidentally omitted this field.

@expede
Copy link
Member

expede commented Sep 26, 2023

Yeah, an expiry was required (arguably it still should be, though there are hacks around that). Ergonomically, making this field required means that people have to at least think about POLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Gozala @expede @andrewzhurov