Provide some leniency in validating time claims #39
Comments
|
Hmm, I agree that now is not the best parameter for handle that. I'm open to suggestions! |
|
I've ran into the same issue where the It looks like the default impl of I've had to override I think it would make sense to default to allowing a minute or so of tolerance for |
|
+1 for a Also note that the RFC doesn't actually say you should validate |
|
@camsaul +1, it makes sense, (+1 for :tolerance) |
|
Following the discussion mentioned above by @tlrobinson I'd vote for removing the iat validation altogether:
|
|
Perhaps the simplest thing is to assume/request/require that the system generating the token with an |
Partially addresses funcool#39.
|
I've just submitted a PR removing Should leeway also be applied to validation of
@delitescere such workaround is not always possible because token can be provided to the application by the third party. |
|
G'day @metametadata
Yes, I would expect that in many cases the token is from a 3rd-party. To me, it's not a "workaround". Rather, it is acknowledging that the issuer is authoritative about the time period they want the token to be usable, and also acknowledging that tinkering with clock skew, ultimately, isn't a solution. Still, I understand the compulsion to add the notion of a leeway to a library as, if you were doing the token validation yourself, you'd add whatever leeway you wanted. However, I don't agree that ignoring |
|
I agree with @metametadata. The specs does not mention any specific validation for this claim, and checking for the infuture tokens creation nbf should be used. So i will proceed to merge the #49 PR. |
|
That is a mistake. And thus the spiral into another insecure implementation of a weak spec begins. OAuth redux. |
I thought you were suggesting to alter token's
I've posted a more detailed motivation on why |
|
Feedback please. If everything is ok, i will release a new major version with the latest changes on master. |
|
I provided draft docstring for |
|
+1, looks good. Thank you for taking time to fix the issue. |
|
Released 2.0.0 |
This updates buddy-core 1.1.1 -> 1.4.0, which updates org.bouncycastle/bcprov-jdk15on 1.55 -> 1.58, alleviating CVE-2016-1000341. See https://www.bouncycastle.org/releasenotes.html section 2.4.4, search for CVE-2016-1000341. This is a major version upgrade because of the following incompatible change: funcool/buddy-sign#39
This updates buddy-core 1.1.1 -> 1.4.0, which updates org.bouncycastle/bcprov-jdk15on 1.55 -> 1.58, alleviating CVE-2016-1000341. See https://www.bouncycastle.org/releasenotes.html section 2.4.4, search for CVE-2016-1000341. This is a major version upgrade because of the following incompatible change: funcool/buddy-sign#39
Since it references Issue funcool#39 and provides better context.
Since it references Issue #39 and provides better context.
I'm currently experiencing problems validating JWTs due to clock skew, the RFC specifies some leeway MAY be provided
Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.https://tools.ietf.org/html/rfc7519#section-4.1.4
Should we implement this? Any ideas what the API might look like?
Currently I can fix this by using a
nowoption that is a few minutes off, but this isn't really explicit.The text was updated successfully, but these errors were encountered: