To prevent re-use of JWT, we should be verifying the claims in the JWT. Kumar does this in inapp pay, but we should do it as well in solitude to prevent the re-use of JWT tokens. http://moz-inapp-pay.readthedocs.org/en/latest/#moz_inapp_pay.verify.verify_claims
you mean just for solitude's JWT communication with Marketplace, right?
yup, but there's no reason we can't do the checks for other relevant jwt's too
I'm working on a patch to verify claims of the BlueVia JWT in Marketplace after we verify the sig using solitude.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.