oauth2.dev

nbf

IESG

Registry Context

Optional introspection-response field indicating the time before which the token is not to be used.

Technical Summary

RFC 7662 defines `nbf` as an optional top-level introspection-response member containing an integer timestamp measured in seconds since January 1, 1970 UTC. Its semantics are defined by the JWT `nbf` claim in RFC 7519.

When Used

When an authorization server returns not-before information about an introspected token.

Normative Requirements

Authorization servers

MUST
1
  1. RFC 7519 - Section 4.1.5

    represent `nbf` as a number containing a NumericDate value.

    Condition: if `nbf` is present

    Its value MUST be a number containing a NumericDate value.

OPTIONAL
1
  1. RFC 7662 - Section 2.2

    include `nbf` as a top-level introspection-response member containing an integer timestamp measured in seconds since January 1, 1970 UTC and indicating when the token is not to be used before.

    nbf OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC

implementer

MAY
1
  1. RFC 7519 - Section 4.1.5

    allow a small amount of leeway, usually no more than a few minutes, to account for clock skew.

    Condition: when processing `nbf`

    Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.

token processor

MUST NOT
1
  1. RFC 7519 - Section 4.1.5

    accept the token for processing before the time identified by `nbf`.

    Condition: when applying the `nbf` semantics

    the JWT MUST NOT be accepted for processing

MUST
1
  1. RFC 7519 - Section 4.1.5

    require the current date and time to be after or equal to the not-before date and time listed in `nbf`.

    Condition: when processing `nbf`

    the current date/time MUST be after or equal to the not-before date/time

Validation Guidance

error

Verify that `nbf`, when present, is a JSON integer timestamp measured in seconds since 1970-01-01 UTC.

error

Reject the token when the current time is earlier than `nbf`, subject to any configured clock-skew leeway.

Reference

Details

Entry Id
nbf
Name
nbf
Description
Timestamp which the token is not valid before
Change Controller
IESG
Reference
RFC7662 - Section 2.2