12

RFC 7519 specifies an optional "iat" field, indicating when a token was issued. The RFC provides a terse commentary:

This claim can be used to determine the age of the JWT.

What is the purpose of the "iat" field? For example, why would one want to determine the age of a JWT? Were there specific purposes in mind when the spec was created?

Edit: Notably, x509 does not have an analogous field, though it may frequently be that Not Before is very close to "Issued At." Another way of phrasing this question is: Why does JWT deliberately distinguish "Issued At" vs. "Not Before?"

Community
  • 1
jtpereyda
  • 1,430
  • 2
  • 16
  • 26
  • IMO this just serves as further description, something that you may e.g. want to print out when describing the token. Notice that the field is optional. – Drux Jan 08 '18 at 22:00
  • @Drux I'm wondering what purpose that description might serve. JWTs are a deliberately terse format, so I imagine any built-in parameter had some specific reason for being there; e.g. the designers thought certain implementations would want to check the "iat" field in certain situations. If you read the RFC, there are very few built-in "claims." Given that it's optional, the purpose presumably only applies in particular scenarios. – jtpereyda Jan 08 '18 at 22:52
  • 3
    We use `iat` so we can dynamically compute expiration times etc. server-side; we don't use `exp` in the token. – Joe Jan 09 '18 at 00:26

1 Answers1

3

What is the purpose of the "iat" field? For example, why would one want to determine the age of a JWT? Were there specific purposes in mind when the spec was created?

"iat" can help the service that issued the JWT to make decisions on its own instead of depending on the issuer for a fixed expiration time (suggested in the comment by Joe above).

A JWT issuer could also set both an expiration "exp" time as well as an issued at "iat" time - the service receiving the token could decide that the expiration time is much too long, and discard it after a shorter interval which it can compute with "iat".

HTLee
  • 1,772
  • 15
  • 30
  • 1
    This is definitely one way it can be used -- do you know if this was part of the reasoning for including it in the standard? Also, any thoughts on why it's explicitly distinguished from "nbf"? – jtpereyda Aug 16 '18 at 00:30
  • JWT is intended to a generic, multi-purpose token, which may be interpreted as necessary an application/service. I do not know the specific rationale behind "iat" as the specification doesn't prescribe what you can or cannot do with the parameters. – HTLee Oct 16 '18 at 01:06
  • 2
    "nbf" has an interesting use-case: roll-over. It allows a token to be issued early, but is not usable until a later date. Typically, an "nbf" token is issued along with an active (non-nbf) token. The active token is valid for say a week. The nbf token is deliberately set to be only available just before the active token expires. This helps improve security because each token is in active use for a shorter period of time, while reducing the need for the client to request new token(s), which might be expensive/inconvenient to do so. – HTLee Oct 16 '18 at 01:20
  • @HTLee Thanks for the `nbf` comment, I was looking for that specifically and came across this answer! – Brad Nov 26 '18 at 04:09