You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I see that the cNonce used in a request is not checked for expiration.
What is checked is whether the credential request jwt iat (which is client-generated so not really trustable) is within the token expiration.
As I understand it, the token expiration for the access token expiration, and so instead of verifying the credential request jwt against the token expiration time, we should check it against the cNonce expiration time, to check if the cNonce used in the request hasn't expired yet.
Is that correct?
The text was updated successfully, but these errors were encountered:
I see that the cNonce used in a request is not checked for expiration.
What is checked is whether the credential request jwt
iat(which is client-generated so not really trustable) is within the token expiration.As I understand it, the token expiration for the access token expiration, and so instead of verifying the credential request jwt against the token expiration time, we should check it against the cNonce expiration time, to check if the cNonce used in the request hasn't expired yet.
Is that correct?
The text was updated successfully, but these errors were encountered: