TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-02-28 21:27:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: fix jwt profile iat and exp (#2660)

Browse Source
This commit is contained in:
Livio Amstutz 2021-11-11 17:56:30 +01:00 committed by GitHub
parent fef9eb91f9
commit 5bc0520adb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/docs/apis/openidoauth/authn-methods.md
View File

@ -46,8 +46,8 @@ JWT
| Claim | Example | Description | | Claim | Example | Description |
|:------|:------------------------------|:----------------------------------------------------------------------------------------------------------------| |:------|:------------------------------|:----------------------------------------------------------------------------------------------------------------|
| aud | `"https://issuer.zitadel.ch"` | String or Array of intended audiences MUST include ZITADEL's issuing domain | | aud | `"https://issuer.zitadel.ch"` | String or Array of intended audiences MUST include ZITADEL's issuing domain |
| exp | `1605183582` | Unix timestamp of the expiry, MUST NOT be longer than 1h | | exp | `1605183582` | Unix timestamp of the expiry |
| iat | `1605179982` | Unix timestamp of the creation singing time of the JWT | | iat | `1605179982` | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h |
| iss | `"78366401571920522@acme"` | String which represents the requesting party (owner of the key), normally the `clientID` from the json key file | | iss | `"78366401571920522@acme"` | String which represents the requesting party (owner of the key), normally the `clientID` from the json key file |
| sub | `"78366401571920522@acme"` | The subject ID of the application, normally the `clientID` from the json key file | | sub | `"78366401571920522@acme"` | The subject ID of the application, normally the `clientID` from the json key file |

4
docs/docs/apis/openidoauth/grant-types.md
View File

@ -78,8 +78,8 @@ JWT
| Claim | Example | Description | | Claim | Example | Description |
|:------|:------------------------------|:--------------------------------------------------------------------------------------------------------------| |:------|:------------------------------|:--------------------------------------------------------------------------------------------------------------|
| aud | `"https://issuer.zitadel.ch"` | String or Array of intended audiences MUST include ZITADEL's issuing domain | | aud | `"https://issuer.zitadel.ch"` | String or Array of intended audiences MUST include ZITADEL's issuing domain |
| exp | `1605183582` | Unix timestamp of the expiry, MUST NOT be longer than 1h | | exp | `1605183582` | Unix timestamp of the expiry |
| iat | `1605179982` | Unix timestamp of the creation singing time of the JWT | | iat | `1605179982` | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h |
| iss | `"77479219772321307"` | String which represents the requesting party (owner of the key), normally the `userId` from the json key file | | iss | `"77479219772321307"` | String which represents the requesting party (owner of the key), normally the `userId` from the json key file |
| sub | `"77479219772321307"` | The subject ID of the service user, normally the `userId` from the json key file | | sub | `"77479219772321307"` | The subject ID of the service user, normally the `userId` from the json key file |

10
docs/docs/guides/authentication/serviceusers.md
View File

@ -98,21 +98,19 @@ Payload
"iss": "100507859606888466", "iss": "100507859606888466",
"sub": "100507859606888466", "sub": "100507859606888466",
"aud": "https://issuer.zitadel.ch", "aud": "https://issuer.zitadel.ch",
"iat": [Current UTC timestamp, e.g. 1605179982], "iat": [Current UTC timestamp, e.g. 1605179982, max. 1 hour ago],
"exp": [UTC timestamp, max. 1 hour from iat, e.g. 1605183582] "exp": [UTC timestamp, e.g. 1605183582]
} }
``` ```
* `iss` represents the requesting party, i.e. the owner of the private key. In this case the value of `userId` from the downloaded JSON. * `iss` represents the requesting party, i.e. the owner of the private key. In this case the value of `userId` from the downloaded JSON.
* `sub` represents the application. Set the value also to the value of `userId` * `sub` represents the application. Set the value also to the value of `userId`
* `aud` must be ZITADEL's issuing domain * `aud` must be ZITADEL's issuing domain
* `iat` is a unix timestamp of the creation signing time of the JWT, e.g. now * `iat` is a unix timestamp of the creation signing time of the JWT, e.g. now and must not be older than 1 hour ago
* `exp` is the unix timestamp of expiry of this assertion. Must be less than 1 hour from `iat` * `exp` is the unix timestamp of expiry of this assertion
Please refer to [JWT_with_Private_Key](../../apis/openidoauth/authn-methods#jwt-with-private-key) in the documentation for further information. Please refer to [JWT_with_Private_Key](../../apis/openidoauth/authn-methods#jwt-with-private-key) in the documentation for further information.
> **Information:** The `exp` claim is currently not validated, but will be with a future release. Make sure that `exp` is less than 1 hour starting from `iat`.
If you use Go, you might want to use the [provided tool](https://github.com/caos/zitadel-tools) to generate a JWT from the downloaded json. There are many [libraries](https://jwt.io/#libraries-io) to generate and sign JWT. If you use Go, you might want to use the [provided tool](https://github.com/caos/zitadel-tools) to generate a JWT from the downloaded json. There are many [libraries](https://jwt.io/#libraries-io) to generate and sign JWT.
### 3. With this JWT, request an OAuth token from ZITADEL ### 3. With this JWT, request an OAuth token from ZITADEL