Skip to content

Commit

Permalink
Honour nbf claim if present in ID token
Browse files Browse the repository at this point in the history
  • Loading branch information
anderseknert committed Aug 15, 2019
1 parent 274971e commit f77fa56
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 1 deletion.
1 change: 1 addition & 0 deletions oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -321,6 +321,7 @@ type idToken struct {
Audience audience `json:"aud"`
Expiry jsonTime `json:"exp"`
IssuedAt jsonTime `json:"iat"`
NotBefore *jsonTime `json:"nbf"`
Nonce string `json:"nonce"`
AtHash string `json:"at_hash"`
ClaimNames map[string]string `json:"_claim_names"`
Expand Down
13 changes: 12 additions & 1 deletion verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -270,10 +270,21 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
if v.config.Now != nil {
now = v.config.Now
}
nowTime := now()

if t.Expiry.Before(now()) {
if t.Expiry.Before(nowTime) {
return nil, fmt.Errorf("oidc: token is expired (Token Expiry: %v)", t.Expiry)
}

// If nbf claim is provided in token, ensure that it is indeed in the past.
if token.NotBefore != nil {
nbfTime := time.Time(*token.NotBefore)
leeway := 1 * time.Minute

if nowTime.Add(leeway).Before(nbfTime) {
return nil, fmt.Errorf("oidc: current time %v before the nbf (not before) time: %v", nowTime, nbfTime)
}
}
}

switch len(jws.Signatures) {
Expand Down
28 changes: 28 additions & 0 deletions verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,34 @@ func TestVerify(t *testing.T) {
},
signKey: newRSAKey(t),
},
{
name: "nbf in future",
idToken: `{"iss":"https://foo","nbf":` + strconv.FormatInt(time.Now().Add(time.Hour).Unix(), 10) +
`,"exp":` + strconv.FormatInt(time.Now().Add(time.Hour).Unix(), 10) + `}`,
config: Config{
SkipClientIDCheck: true,
},
signKey: newRSAKey(t),
wantErr: true,
},
{
name: "nbf in past",
idToken: `{"iss":"https://foo","nbf":` + strconv.FormatInt(time.Now().Add(-time.Hour).Unix(), 10) +
`,"exp":` + strconv.FormatInt(time.Now().Add(time.Hour).Unix(), 10) + `}`,
config: Config{
SkipClientIDCheck: true,
},
signKey: newRSAKey(t),
},
{
name: "nbf in future within clock skew tolerance",
idToken: `{"iss":"https://foo","nbf":` + strconv.FormatInt(time.Now().Add(30*time.Second).Unix(), 10) +
`,"exp":` + strconv.FormatInt(time.Now().Add(time.Hour).Unix(), 10) + `}`,
config: Config{
SkipClientIDCheck: true,
},
signKey: newRSAKey(t),
},
}
for _, test := range tests {
t.Run(test.name, test.run)
Expand Down

0 comments on commit f77fa56

Please sign in to comment.