oauth2.dev

nbf

IESG

Registry Context

The `nbf` claim identifies when a JWT may begin to be accepted for processing. Before that time, the JWT must not be accepted. The claim is optional, its value must be a NumericDate number, and implementers may allow a small clock-skew leeway.

Technical Summary

RFC 7519 defines `nbf` as the Not Before claim. The current date/time MUST be after or equal to its NumericDate value before the JWT is accepted for processing. Implementers MAY provide a small leeway, usually no more than a few minutes, for clock skew. Use of the claim is OPTIONAL.

When Used

When a JWT must not be accepted for processing before a specified time.

Normative Requirements

Unspecified actor

MUST
1
  1. RFC 7519 - Section 4.1.5

    encode the `nbf` claim value as a number containing a NumericDate value.

    Condition: when the `nbf` claim is used

    Its value MUST be a number containing a NumericDate value.

OPTIONAL
1
  1. RFC 7519 - Section 4.1.5

    use the `nbf` claim.

    Use of this claim is OPTIONAL.

Implementers

MAY
1
  1. RFC 7519 - Section 4.1.5

    provide some small leeway to account for clock skew.

    Condition: when processing the `nbf` claim

    Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.

JWT processor

MUST NOT
1
  1. RFC 7519 - Section 4.1.5

    accept the JWT for processing.

    Condition: before the date/time identified by the `nbf` claim

    The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.

MUST
1
  1. RFC 7519 - Section 4.1.5

    ensure that the current date/time is after or equal to the not-before date/time.

    Condition: when processing the `nbf` claim

    The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim.

Validation Guidance

error

Reject a JWT when the current time, accounting for any configured small clock-skew leeway, is still before its `nbf` time.

error

Verify that `nbf` is a JSON number containing a NumericDate value.

info

If clock-skew leeway is provided, keep it small; RFC 7519 describes it as usually no more than a few minutes.

info

Do not treat `nbf` as universally required by RFC 7519.

Security Notes

RFC 7519 - Section 4.1.5

A JWT MUST NOT be accepted for processing before the time identified by its `nbf` claim, subject to any small clock-skew leeway provided by the implementation.

RFC 7519 - Section 4.1.5

RFC 7519 describes clock-skew leeway as small and usually no more than a few minutes.

Reference

Details

Entry Id
nbf
Claim Name
nbf
Claim Description
Not Before
Change Controller
IESG
Reference
RFC7519 - Section 4.1.5