Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-20939

(7.3.z) ELY-2069 - JWT token validation uses int instead of long for the dates: exp (expiration) and nbf

    XMLWordPrintable

    Details

      Description

      JwtValidator is reading the exp and nbf field as a Java int instead of long:

      https://github.com/wildfly-security/wildfly-elytron/blob/master/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java#L139

      This means the maximum expiration date is ~January 18, 2038.  Also, with Javascript a NumericDate this would be a 64-bit value.  The JWT spec also leaves open the possibility of a decimal value so that should possibly be accounted for.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rhn-support-ivassile Ilia Vassilev
              Reporter:
              rhn-support-ivassile Ilia Vassilev
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: