Module accepts any issuer and expiration

AnthonyDeroche / mod_authnz_jwt

An authentication module for Apache httpd using JSON Web Tokens

Other

79 stars 46 forks source link

Module accepts any issuer and expiration #50

Open Jojo-IO opened 3 years ago

Jojo-IO commented 3 years ago

Installing the newest version from source and using e.g. the minimal configuration from the readme, the module accepts just any value given as AuthJWTIss and does not mind the expiration time. Access is only denied if the token is completely wrong.

Jojo-IO commented 3 years ago

It was a misconfiguration of the token. iss and exp was in the header instead of the payload. But I'm not sure a token should be accepted as valid when AuthJWTIss / AuthJWTExpDelay is set, but iss / exp is missing.

AnthonyDeroche commented 3 years ago

The AuthJWTExpDelay and AuthJWTIss are only used to issue tokens.

However, it is a good point. If there is a configured issuer and expiration delay, it's important to validate them afterwards. I will have a look on the code to check this behavior.

Any pull request is welcome.

Anthony

MinePlugins commented 2 years ago

Hello,

Any news on this ?

Do you plan to work on ?

Thank's you in advance