Expiration date in Milliseconds always passes date validation
Issue #66
wontfix
Hi,
I am using JWT tokens from WSO2 and it sends expiration dates in milliseconds. According to the logic in the validation code, expiration date is compared to current time in seconds and it always wins since the comparison is based on long numbers.
Can we add a conversion of timestamps from milliseconds to seconds? For instance, we may simply check whether the value is higher than 4102444800L (2100-1-1).
I can also create a pull request if you agree.
Check NumericDateValidator:
NumericDate evaluationTime = (staticEvaluationTime == null) ? NumericDate.now() : staticEvaluationTime;
if (expirationTime != null)
{
// if (!evaluationTime.isBefore(expirationTime, allowedClockSkewSeconds))
if ((evaluationTime.getValue() - allowedClockSkewSeconds) >= expirationTime.getValue())
{
return "The JWT is no longer valid - the evaluation time " + evaluationTime + " is on or after the Expiration Time (exp="+expirationTime+") claim value" + skewMessage();
}
Comments (5)
-
repo owner -
repo owner - marked as proposal
not a defect
-
repo owner The WSO2 folks are aware of the issue, have a ticket for it, and say it will be fixed in the next release. https://twitter.com/prabath/status/729812154325458944
-
reporter Thanks Brian, I'll go for the your temporary solution till it WSO2 resolves it.
-
repo owner - changed status to wontfix
- Log in to comment
Hi Yunus,
This is a reasonable request on the surface, however, the underlying issue is really a defect in WSO2 in not conforming to the IETF standard.
JWT/RFC 7519 defines "exp" as a NumericDate. http://tools.ietf.org/html/rfc7519#section-4.1.4
And a NumericDate is represented in seconds. http://tools.ietf.org/html/rfc7519#section-2
I endeavor to keep this library free of "special" behavior to work around defects or non-standard implementations.
As a workaround, you can create your own Validator implementation that treats "exp" as milliseconds or does the conversion you described above and use JwtConsumerBuilder's registerValidator(Validator validator) to plug it into the JwtConsumer validation process.
Using something like .setMaxFutureValidityInMinutes(1440) on the JwtConsumerBuilder can also help detect and prevent JWTs with an "exp" that's unacceptably far in the future.