The JWT Token verification fails when the iat equals the current date

Issue #350 resolved
Pim Moerenhout created an issue

When the JWT is created, the iat (Issue At Time) is noted in epoch seconds. When the JWT token is verified in com.nimbusds.openid.connect.sdk.validators.IDTokenClaimsVerifier the iat is checked against the current date. In the case that the iat and the current date are equal in millis (getTime()) and the maxClockSkew is 0, the verification fails. However the iat is equal to the current date and hence valid. The chance that it all happens is 1 ms, and the milliseconds modulo 1000 is zero is low, but could happen.

It could be easily fixed by check on equal:

    // Issue time must be before current time, given acceptable clock skew
    if (! (nowRef.equals(iat) || DateUtils.isBefore(iat, nowRef, maxClockSkew))) {
        throw BadJWTExceptions.IAT_CLAIM_AHEAD_EXCEPTION;
    }

Comments (4)

  1. Log in to comment