search

Thalhammer / jwt-cpp

A header only library for creating and validating json web tokens in c++
https://thalhammer.github.io/jwt-cpp/
MIT License
865 stars 235 forks source link

Interface for disabling iat and nbf checks #179

Closed 8vp closed 2 years ago

8vp commented 2 years ago

Hi,

We have a use case, where our token validation is failing on occasions. The reason is that our embedded device is subject to being set a wrong system time due to various factors and when this happens the interface function "explicit verifier(Clock c) : clock(c)" raises a token verification error - Line 2928.

In such cases, is there another interface we can use where the iat and the nbf checks can be disabled? Or a build flag to disable the check, to address such issues would be great many thanks.

Thalhammer commented 2 years ago

You should be able to change the verifier for the time related claims (nbf, iat, exp) to a noop, however I strongly recommend against this since it cause every token ever generated to be valid for ever, thus making it no better than a simple random password. If you can in anyway, fix the clock issue (if you have network, this is easy, just query a ntp server. Simple ntp without delay correction is trivial and more than enough. I've done this before, its about 400lines max, or send the correct time in an earlier server response (if theres one).). If you can't fix the time, put an incrementing number in a claim and verify that the number never goes backwards or repeats, to prevent replay attacks.

with_claim accepts a std::function<void(const verify_ops::verify_context<json_traits>&, std::error_code& ec)> as second parameter, so something like this should work:

 verifier.with_claim("iat", [](const verify_ops::verify_context<json_traits>&, std::error_code&) {})
 // Same for nbf and exp
8vp commented 2 years ago

Thank you for the clarification. Yes we plan to implement NTP shortly to resolve this issue. However for the time being we will use the approach suggested.

On Thu, 30 Sep 2021, 15:11 Dominik Thalhammer, @.***> wrote:

You should be able to change the verifier for the time related claims (nbf, iat, exp) to a noop, however I strongly recommend against this since it cause every token ever generated to be valid for ever, thus making it no better than a simple random password. If you can in anyway, fix the clock issue (if you have network, this is easy, just query a ntp server. Simple ntp without delay correction is trivial and more than enough. I've done this before, its about 400lines max, or send the correct time in an earlier server response (if theres one).). If you can't fix the time, put an incrementing number in a claim and verify that the number never goes backwards or repeats, to prevent replay attacks.

with_claim accepts a std::function<void(const verify_ops::verify_context&, std::error_code& ec)> as second parameter, so something like this should work:

verifier.with_claim("iat", [](const verify_ops::verify_context&, std::error_code&) {})// Same for nbf and exp

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Thalhammer/jwt-cpp/issues/179#issuecomment-931359685, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKK47QCETIUP3QB7TW2OUA3UERVYPANCNFSM5FCKBEVQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.