Adobe Experience Manager Sites & More

akhilraj · 1/23/23

Hi,

As part of Oauth implementation, we have to generate JWT token based on some parameters;

Header
{
"alg": "RS256",
"typ": "JWT"
}

Payload
{
"aud": "<Token Endpoint>",
"iss": "<Client Id>",
"sub": "<user name>",
"exp": <Current time in Milliseconds+expiry>,
"iat": <Current time in Milliseconds>,
"scope": "<scope>",
"cty": "code"
}

Here Apart from AUD and ISS value, rest data, if we give dummy value also its generating access token from JWT. And eventhough it have expiry time, JWT token is not expiring.

Do you have any idea why AEM will not look for "exp" and "iat" values we are giving to generate JWT ?

ChitraMadan · 1/23/23

Hi @akhilraj ,

There are no restrictions on the content of the payload, but it's important to know that a JWT is not encrypted. So any information that we put in the token is still readable to anyone who intercepts the token.

Therefore it's important not to put in the Payload any user information that an attacker could leverage directly.

iss (issuer), exp (expiration time), sub (subject), aud (audience) - These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful information.

The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.
Implementers MAY provide for some small leeway, usually no more than a few minutes, 
to account for clock skew. Its value MUST be a number containing a NumericDate value.

The "iat" (issued at) claim identifies the time at which the JWT was issued.  
This claim can be used to determine the age of the JWT. 
Its value MUST be a number containing a NumericDate value.

https://blog.angular-university.io/angular-jwt/

This article should be helpful!!

Thanks,

Chitra

View solution in original post

ChitraMadan · 1/23/23

Hi @akhilraj ,

There are no restrictions on the content of the payload, but it's important to know that a JWT is not encrypted. So any information that we put in the token is still readable to anyone who intercepts the token.

Therefore it's important not to put in the Payload any user information that an attacker could leverage directly.

iss (issuer), exp (expiration time), sub (subject), aud (audience) - These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful information.

The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.
Implementers MAY provide for some small leeway, usually no more than a few minutes, 
to account for clock skew. Its value MUST be a number containing a NumericDate value.

The "iat" (issued at) claim identifies the time at which the JWT was issued.  
This claim can be used to determine the age of the JWT. 
Its value MUST be a number containing a NumericDate value.

https://blog.angular-university.io/angular-jwt/

This article should be helpful!!

Thanks,

Chitra

akhilraj · 1/23/23

Thanks @ChitraMadan

akhilraj · 2/6/23

Hi @ChitraMadan ,

A quick question.

Is there any configuration available in AEM to detect the JWT token "exp": <Current time in Milliseconds+expiry> and "iat": <Current time in Milliseconds>.?
So that after the set time expired, AEM should not provide access token for the JWT token(After expiry) ?

Currently even if we give expiry time also for generate token manually, it is not expiring and getting access token always.

Or is it only taking consideration, when we generate JWT token programmatically ? Any idea?

akhilraj · 2/8/23

Hi All,

Can someone answer if you have any idea

Adobe Experience Manager Sites & More

AEM OOTB Oauth Set up JWT Token Generation

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe