AEM OOTB Oauth Set up JWT Token Generation | Community
Skip to main content
akhilraj
akhilraj
Level 5
January 23, 2023
Solved

AEM OOTB Oauth Set up JWT Token Generation

  • January 23, 2023
  • 1 reply
  • 1599 views

Hi,

As part of Oauth implementation, we have to generate JWT token based on some parameters;

Header
{
"alg": "RS256",
"typ": "JWT"
}


Payload
{
"aud": "<Token Endpoint>",
"iss": "<Client Id>",
"sub": "<user name>",
"exp": <Current time in Milliseconds+expiry>,
"iat": <Current time in Milliseconds>,
"scope": "<scope>",
"cty": "code"
}

 

Here Apart from AUD and ISS value, rest data, if we give dummy value also its generating access token from JWT.  And eventhough it have expiry time, JWT token is not expiring.

Do you have any idea why AEM will not look for "exp" and "iat" values we are giving to generate JWT ?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by ChitraMadan

Hi @akhilraj ,

 

There are no restrictions on the content of the payload, but it's important to know that a JWT is not encrypted. So any information that we put in the token is still readable to anyone who intercepts the token.

Therefore it's important not to put in the Payload any user information that an attacker could leverage directly.

iss (issuer), exp (expiration time), sub (subject), aud (audience) - These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful information.

The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.
Implementers MAY provide for some small leeway, usually no more than a few minutes, 
to account for clock skew. Its value MUST be a number containing a NumericDate value.
The "iat" (issued at) claim identifies the time at which the JWT was issued.  
This claim can be used to determine the age of the JWT. 
Its value MUST be a number containing a NumericDate value.

 

https://blog.angular-university.io/angular-jwt/

 

This article should be helpful!!

 

Thanks,

Chitra

1 reply

ChitraMadan
Community Advisor
ChitraMadanCommunity AdvisorAccepted solution
Community Advisor
January 23, 2023

Hi @akhilraj ,

 

There are no restrictions on the content of the payload, but it's important to know that a JWT is not encrypted. So any information that we put in the token is still readable to anyone who intercepts the token.

Therefore it's important not to put in the Payload any user information that an attacker could leverage directly.

iss (issuer), exp (expiration time), sub (subject), aud (audience) - These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful information.

The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.
Implementers MAY provide for some small leeway, usually no more than a few minutes, 
to account for clock skew. Its value MUST be a number containing a NumericDate value.
The "iat" (issued at) claim identifies the time at which the JWT was issued.  
This claim can be used to determine the age of the JWT. 
Its value MUST be a number containing a NumericDate value.

 

https://blog.angular-university.io/angular-jwt/

 

This article should be helpful!!

 

Thanks,

Chitra

    akhilraj
    akhilrajAuthor
    Level 5
    January 24, 2023

    Thanks @chitramadan 

      Terms & ConditionsAccessibility statement

      Loading footer...