apigee / iloveapis2015-jwt-jwe-jws

Apache License 2.0
30 stars 36 forks source link

Allow time skew checks to be used with iat checks #9

Closed sztupy closed 6 years ago

sztupy commented 7 years ago

While there is an option to allow for a time skew on nbf and exp checks, there is no such option for checks on the issued at time, which is also a check that cannot be disabled at all. This PR includes the following changes:

Eric2017a commented 7 years ago

This change should be rejected for the following reasons:

  1. The issued at time is not used to determine JWT validity against the current time. Instead, the fields nbf and exp are intended for that use.

  2. Allowing setting the current time to an arbitrary value opens the door to replay attacks, and renders the issued at and expirations claims useless.

A more correct fix would be to remove the check of issued at time against current time, thus removing this parameter from consideration of JWT validity (applications using the JWT may decide they want to check this, but per the specification, there is no requirement on the iat being within the nbf to exp range, nor that the iat time be in the past, and there are some cases where it might be useful to have an issued time be in the future).

Note, the use of iat as an nbf claim in the current validity checking is a bug, and should be fixed.