diff --git a/docs/docs/apis/openidoauth/authn-methods.md b/docs/docs/apis/openidoauth/authn-methods.md index c75b505004..ee5aa332ce 100644 --- a/docs/docs/apis/openidoauth/authn-methods.md +++ b/docs/docs/apis/openidoauth/authn-methods.md @@ -46,8 +46,8 @@ JWT | Claim | Example | Description | |:------|:------------------------------|:----------------------------------------------------------------------------------------------------------------| | aud | `"https://issuer.zitadel.ch"` | String or Array of intended audiences MUST include ZITADEL's issuing domain | -| exp | `1605183582` | Unix timestamp of the expiry, MUST NOT be longer than 1h | -| iat | `1605179982` | Unix timestamp of the creation singing time of the JWT | +| exp | `1605183582` | Unix timestamp of the expiry | +| iat | `1605179982` | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h | | iss | `"78366401571920522@acme"` | String which represents the requesting party (owner of the key), normally the `clientID` from the json key file | | sub | `"78366401571920522@acme"` | The subject ID of the application, normally the `clientID` from the json key file | diff --git a/docs/docs/apis/openidoauth/grant-types.md b/docs/docs/apis/openidoauth/grant-types.md index 9f2aeecaef..9b8af30f43 100644 --- a/docs/docs/apis/openidoauth/grant-types.md +++ b/docs/docs/apis/openidoauth/grant-types.md @@ -78,8 +78,8 @@ JWT | Claim | Example | Description | |:------|:------------------------------|:--------------------------------------------------------------------------------------------------------------| | aud | `"https://issuer.zitadel.ch"` | String or Array of intended audiences MUST include ZITADEL's issuing domain | -| exp | `1605183582` | Unix timestamp of the expiry, MUST NOT be longer than 1h | -| iat | `1605179982` | Unix timestamp of the creation singing time of the JWT | +| exp | `1605183582` | Unix timestamp of the expiry | +| iat | `1605179982` | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h | | iss | `"77479219772321307"` | String which represents the requesting party (owner of the key), normally the `userId` from the json key file | | sub | `"77479219772321307"` | The subject ID of the service user, normally the `userId` from the json key file | diff --git a/docs/docs/guides/authentication/serviceusers.md b/docs/docs/guides/authentication/serviceusers.md index 9d9ba8cc2e..bac1c44ba2 100644 --- a/docs/docs/guides/authentication/serviceusers.md +++ b/docs/docs/guides/authentication/serviceusers.md @@ -98,21 +98,19 @@ Payload "iss": "100507859606888466", "sub": "100507859606888466", "aud": "https://issuer.zitadel.ch", - "iat": [Current UTC timestamp, e.g. 1605179982], - "exp": [UTC timestamp, max. 1 hour from iat, e.g. 1605183582] + "iat": [Current UTC timestamp, e.g. 1605179982, max. 1 hour ago], + "exp": [UTC timestamp, e.g. 1605183582] } ``` * `iss` represents the requesting party, i.e. the owner of the private key. In this case the value of `userId` from the downloaded JSON. * `sub` represents the application. Set the value also to the value of `userId` * `aud` must be ZITADEL's issuing domain -* `iat` is a unix timestamp of the creation signing time of the JWT, e.g. now -* `exp` is the unix timestamp of expiry of this assertion. Must be less than 1 hour from `iat` +* `iat` is a unix timestamp of the creation signing time of the JWT, e.g. now and must not be older than 1 hour ago +* `exp` is the unix timestamp of expiry of this assertion Please refer to [JWT_with_Private_Key](../../apis/openidoauth/authn-methods#jwt-with-private-key) in the documentation for further information. -> **Information:** The `exp` claim is currently not validated, but will be with a future release. Make sure that `exp` is less than 1 hour starting from `iat`. - If you use Go, you might want to use the [provided tool](https://github.com/caos/zitadel-tools) to generate a JWT from the downloaded json. There are many [libraries](https://jwt.io/#libraries-io) to generate and sign JWT. ### 3. With this JWT, request an OAuth token from ZITADEL