IBM Security Verify

Shape the future of IBM Security Verify

We invite you to shape the future of IBM, including the product roadmap, by submitting ideas that matter to you the most.

Here's how it works:

Post your ideas

Start by posting ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea

Submit a private idea

If you have confidential information or customer data to share with your idea, then - DO NOT submit using the link below, instead - please open a private feature request.

And finally - if its an issue with expected behaviour, a product defect or a support need, open a Support Case

IBM Application Gateway creates JWTs that are not compliant with JSON Web Token (JWT) - RFC 7519.

We are currently configuring IBM Application Gateway to be used with OAuth introspection and JWT as the identity header to be sent to the resource server. As all attributes are stored as string in the credential, even claims that need numeric values can only be of type string. This has been discussed here: https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2863&MessageKey=168abd5e-e2d4-42ab-a12a-4886b173399d&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&ReturnUrl=%2fcommunity%2fuser%2fsecurity%2fcommunities%2fcommunity-home%2fdigestviewer%3fcommunitykey%3de7c36119-46d7-42f2-97a9-b44f0cc89c6d


This is problematic as it violates the JWT standard. For instance this is the description of nbf:

4.1.5. "nbf" (Not Before) Claim

The "nbf" (not before) claim identifies the time before which the JWT
MUST NOT be accepted for processing. The processing of the "nbf"
claim requires that the current date/time MUST be after or equal to
the not-before date/time listed in the "nbf" claim. Implementers MAY
provide for some small leeway, usually no more than a few minutes, to
account for clock skew. Its value MUST be a number containing a
NumericDate value
. Use of this claim is OPTIONAL.


The result is that JWTs generated by IAG can not be evaluated by the resource servers, as the claims are of wrong type.


  • Guest
  • Mar 8 2022
  • Not under consideration

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.