oauth2.dev

nbf

IETF

Registry Context

`nbf` identifies the time before which a JWT must not be accepted for processing. Its value must be a NumericDate.

Technical Summary

`nbf` is an optional registered JWT claim whose value must be a JSON number containing a NumericDate. Processing requires the current time to be at or after that time, although a small clock-skew leeway may be applied. RFC 9101 registers it as an OAuth authorization request parameter for Request Objects.

When Used

authorization request

Normative Requirements

implementer

MAY
1
  1. RFC 7519 - Section 4.1.5

    allow a small leeway to account for clock skew.

    Condition: when processing the `nbf` claim

    Implementers MAY provide for some small leeway

JWT processor

MUST NOT
1
  1. RFC 7519 - Section 4.1.5

    accept the JWT for processing before the time identified by `nbf`.

    Condition: when the JWT contains an `nbf` claim

    the JWT MUST NOT be accepted for processing

MUST
1
  1. RFC 7519 - Section 4.1.5

    determine that the current date and time is after or equal to the not-before date and time.

    Condition: when processing the `nbf` claim

    the current date/time MUST be after or equal to the not-before date/time

JWT producer

MUST
1
  1. RFC 7519 - Section 4.1.5

    encode `nbf` as a number containing a NumericDate value.

    Condition: when the `nbf` claim is used

    Its value MUST be a number containing a NumericDate value.

OPTIONAL
1
  1. RFC 7519 - Section 4.1.5

    include the `nbf` claim.

    Use of this claim is OPTIONAL.

Validation Guidance

error

Reject an `nbf` value that is not a JSON number containing a valid NumericDate value.

error

Do not accept the JWT before the `nbf` time; any configured clock-skew allowance should be small.

info

Do not report an absent `nbf` claim as a violation of RFC 7519 alone.

Reference

Details

Entry Id
nbf
Name
nbf
Parameter Usage Location
authorization request
Change Controller
IETF
Reference
RFC7519 - Section 4.1.5, RFC9101