nbf validation cannot be disabled

jwt-dotnet / jwt

Jwt.Net, a JWT (JSON Web Token) implementation for .NET

Other

2.11k stars 460 forks source link

nbf validation cannot be disabled #502

Open Voileexperiments opened 1 week ago

Voileexperiments commented 1 week ago

For some reasons ValidationParameters has ValidateIssuedTime and ValidateExpirationTime, but not ValidateNotBeforeTime. Additionally, there is no way to manually disable this anywhere.

Voileexperiments commented 1 week ago

After looking at the source code, the handling of ValidateIssuedTime is incorrect, since it actually validates nbf instead of iss:

https://github.com/jwt-dotnet/jwt/blob/d6b1e4e76d45e7493970d177c6138b8174ff62c2/src/JWT/JwtValidator.cs#L165-L168

iss and nbf are completely different, and they can be set with different values (e.g if you're issuing a token that should only be usable at a later date).

abatishchev commented 1 week ago

Check this out: https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1

iss and nbf are completely different, indeed. The former stands for "issuer".

Are you confusing iss and iat?

I agree that the validation parameter's name is confusing (incorrect), issued -> something else. But what would be a better, yet readable, name?

Can you describe your scenario in which you need to validate the iat claim? And how you'd like to validate it?

In AAD for example, both claims usually have the same value.

Voileexperiments commented 1 week ago

Sorry, I meant iat when I said iss above.

I agree that the validation parameter's name is confusing (incorrect), issued -> something else. But what would be a better, yet readable, name?

Can you describe your scenario in which you need to validate the iat claim?

I don't really need to validate iat, but naming ValidateIssuedTime for nbf instead of something like ValidateNotBefore is semantically incorrect from the JWT spec, since iat and nbf have well-defined meanings by RFC 7159:

The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.

The "iat" (issued at) claim identifies the time at which the JWT was issued.

A parameter named ValidateIssuedTime should unambiguously be handling the "issued time" field, otherwise it is not doing what it tells it's supposed to do. Yes, iat usually doesn't need to be validated, but then using ValidateIssuedTime to validate nbf is not correct either.

abatishchev commented 1 week ago

To be honest, I don't remember why or how I (or maybe it was an OSS contribution by someone else) came up with this name. Both properties mean "whether the token is valid", one being "already valid" and the other "still valid". I guess because the latter is Expiration, the opposite to it was minted as Issuance. Which you're right, is a different claim.

Long story short. Do you mind submitting a change to add a new property and mark the old one as [Obsolete]?