Next: , Previous: , Up: The Json Web Token   [Contents][Index]


8.4 Single-use tokens

To prevent replay attacks, you might want to assign an unique identifier to each token of some kind. If you have an expiration date, you could remember that this identifier has been seen, and forget about it as soon as the token expires. For this to work, you would need an expiration date for your single-use token: this is why we only support it for time-bound tokens, and the validity is reduced down to 2 minutes.

Class: <single-use-token> (<time-bound-token>) nonce

The base class for tokens which are intended to be decoded only once. The unique identifier string nonce will be remembered as long as the program is running and the token is not expired.

Similarly to the base token type, you can construct one by specifying its arguments, or create one from a pair of alists.

The main point of this class is to provide an even stricter token validation function, that can only be run once for a given token (with reasonable limits: if the program is killed, it won’t remember the tokens from before). You can customize the current date by passing #:current-date ... as keyword arguments to decode, just as you do for regular time-bound tokens. ... would be replaced with a time or date.

Generic: nonce-field-name token

When constructing token from an existing JWT, this method gives the field name in the JWT payload that represents the nonce. DPoP proofs use 'jti, so they override this value.

Generic: nonce token

Return the unique identifier of token, as a string.

Exception type: &nonce-found nonce

If a token with the same nonce has already been decoded during its life time, this exception is raised with the duplicated nonce.

function: make-nonce-found nonce

Construct an exception of type &nonce-found.

function: nonce-found? exception

Check whether exception was raised because a single-use token was already parsed.

function: nonce-found-nonce exception

Return the faulty nonce in exception.


Next: , Previous: , Up: The Json Web Token   [Contents][Index]