exp
Registry Context
The `exp` claim identifies the time on or after which a JWT must not be accepted for processing. In a JAR Request Object, it retains this JWT-defined meaning.
Technical Summary
RFC 7519 defines `exp` as a NumericDate represented by a JSON number. RFC 9101 defines Request Objects as JWTs carrying OAuth 2.0 authorization request parameters and states that core JWT claims in Request Objects retain their JWT-defined purposes.
When Used
When a JWT, including a JAR Request Object, needs an explicit expiration time.
Normative Requirements
Requests
RFC 9101 - Section 4
Represent numerical values, including a numerical `exp` value, as JSON numbers..
Condition: When constructing a Request Object containing numerical values.
Numerical values MUST be included as JSON numbers.
Implementer
RFC 7519 - Section 4.1.4
Provide a small leeway, usually no more than a few minutes, to account for clock skew..
Condition: When processing `exp`.
Implementers MAY provide for some small leeway
JWT issuer
RFC 7519 - Section 4.1.4
Represent the `exp` value as a number containing a NumericDate value..
Condition: When including `exp`.
Its value MUST be a number containing a NumericDate value.
RFC 7519 - Section 4.1.4
Include the `exp` claim..
Use of this claim is OPTIONAL.
JWT processor
RFC 7519 - Section 4.1.4
Accept the JWT for processing on or after the expiration time identified by `exp`..
Condition: When `exp` is present.
JWT MUST NOT be accepted for processing
RFC 7519 - Section 4.1.4
Require the current date and time to be before the expiration date and time in `exp`..
Condition: When processing `exp`.
current date/time MUST be before the expiration date/time
Validation Guidance
When `exp` is present, verify that it is a JSON number containing a NumericDate value.
Reject the JWT when the current time is at or after `exp`, subject to any configured small clock-skew leeway.
Do not require every JWT to contain `exp`; its use is optional under RFC 7519.
For a JAR Request Object, interpret `exp` only with its JWT-defined expiration meaning.
Reference
Details
- Entry Id
exp- Name
exp- Parameter Usage Location
authorization request- Change Controller
IETF- Reference
RFC7519 - Section 4.1.4, RFC9101