Bug Report

Describe the Bug

Temporal claims in JSON Web Tokens are expected to be numeric date values (="epoch seconds"), but are in fact ISO-8601 strings.

Expected Behavior

Temporal claims (nbf, exp, iat) should be numeric values.

Observed Behavior

In many places they are String values

Detailed Description

RFC 7519 Section 4.1.4 defines exp, nbf and iat to be opțional claims that must contain a NumericDate value, which is the number of seconds since the Unix Epoch.

In many places, e.g. in the IdentityAndTrustService, we set those claims to be of type string:

Possible Implementation

use the correct representation, i.e.:

//bad:
claims.put("exp", Instant.now().toString());

//correct: 
claims.put("exp", Instant.now().getEpochSecond());

Further notes

this will have a rippling effect through the code base, because many method arguments must be changed from Map<String, String> to Map<String, Object> and it will affect downstream repositories as well.

Also, this is a breaking change!