JWK exp, nbf and iat times
A JWK can include expiration (exp
), not-before (nbf
) and issued-at (iat
)
time attributes. The attribute names and their semantics are identical to the
JWT claims.
- exp – The key expiration time.
- nbf – The key use not-before time.
- iat – The key issue time.
All times are represented as an integer number of seconds since the Unix epoch.
Example RSA JWK with nbf
and exp
to indicate its time window of validity:
{
"kty" : "RSA",
"n" : "5s4qi...",
"e" : "AQAB",
"use" : "sig",
"kid" : "c748ab7f-d674-456b-ade8-178d532d2fe0",
"nbf" : 1672571260,
"exp" : 1672574860
}
To generate an RSA JWK and set a validity time window of 24 hours:
import java.util.*;
import com.nimbusds.jose.jwk.*;
import com.nimbusds.jose.jwk.gen.*;
Date now = new Date();
Date nbf = now;
Date exp = nbf.getTime() + 24 * 60 * 60 * 1000; // ms precision
RSAKey jwk = new RSAKeyGenerator(2048)
.keyUse(KeyUse.SIGNATURE)
.keyID(UUID.randomUUID().toString())
.expirationTime(exp)
.notBeforeTime(nbf)
.generate();
To build an RSA JWK from a Java RSAPublicKey
and record its issue time:
import java.security.interfaces.*;
import java.util.*;
import com.nimbusds.jose.jwk.*;
RSAPublicKey publicKey = ...;
Date iat = new Date();
RSAKey jwk = new RSAKey.Builder(publicKey)
.keyUse(KeyUse.SIGNATURE)
.issueTime(iat)
.build();
When parsing X.509 certificates the
JWK exp
and nbf
will be set to the certificate’s not-after and not-before
attributes.