Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jti verification doesn't prevent replays #73

Closed
iffy opened this issue Apr 7, 2015 · 2 comments
Closed

jti verification doesn't prevent replays #73

iffy opened this issue Apr 7, 2015 · 2 comments
Labels
discussion

Comments

@iffy
Copy link

iffy commented Apr 7, 2015

According to the spec the jti claim is intended (can be used) to prevent replay attacks. This implementation doesn't do that, correct?

https://github.com/progrium/ruby-jwt/blob/master/lib/jwt.rb#L156

If so, then is it misleading to claim support for jti on this page: http://jwt.io/ ?

I don't know Ruby and I don't know who's responsible for the data on jwt.io. I could be completely wrong.
@excpt
Copy link
Member

excpt commented Apr 7, 2015

That's right, at the current state of ruby-jwt there's no replay prevention implemented.

At the moment the replay prevention code has to be implemented by each project individually. IMHO we are supporting jti claim verification and this can be displayed on the jwt.io site. How to handle the exact jti values and replay prevention is a part for the developer how uses this lib at the moment.

@excpt
Copy link
Member

excpt commented May 11, 2015

A basic replay attack prevention is by now implemented.

@excpt excpt closed this as completed May 11, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iffy @excpt