The JWT Token verification fails when the iat equals the current date
Issue #350
resolved
When the JWT is created, the iat (Issue At Time) is noted in epoch seconds. When the JWT token is verified in com.nimbusds.openid.connect.sdk.validators.IDTokenClaimsVerifier the iat is checked against the current date. In the case that the iat and the current date are equal in millis (getTime()) and the maxClockSkew is 0, the verification fails. However the iat is equal to the current date and hence valid. The chance that it all happens is 1 ms, and the milliseconds modulo 1000 is zero is low, but could happen.
It could be easily fixed by check on equal:
// Issue time must be before current time, given acceptable clock skew
if (! (nowRef.equals(iat) || DateUtils.isBefore(iat, nowRef, maxClockSkew))) {
throw BadJWTExceptions.IAT_CLAIM_AHEAD_EXCEPTION;
}
Comments (4)
-
reporter
-
I like this forensic investigation
Yes, a PR will be greatly appreciated. Thanks!
-
reporter
-
- changed status to resolved
Merged and released as version 9.2.4 (2021-03-23).
Thanks!
- Log in to comment
I can provide a PR for this.