Potential fix for saving tokens when the system clock is out of sync … - Githubissues

okta / okta-oidc-android

OIDC SDK for Android

https://github.com/okta/okta-oidc-android

Other

60 stars 45 forks source link

Potential fix for saving tokens when the system clock is out of sync … #281

Closed JayNewstrom closed 2 years ago

JayNewstrom commented 2 years ago

…with server clock.

Description:

Testing details:

[ ] Verified basic functionality of change
[ ] Added tests

Other considerations:

[ ] Has security implications
[ ] Has UX changes

RESOLVES:

Primary Reviewer(s):

Additional Reviewers:

Security Reviewer(s) (@ okta/rex-team if necessary):

UX Reviewer(s) (if necessary):

JayNewstrom commented 2 years ago

The spec says we should validate these things. https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

But there are many ways/reasons the system clock could be out of sync (users cheating in candy crush, etc). The demonstrated behavior is less secure.

I just did this as a proof of concept, I'd still need to fix/write more tests, and document the new public methods.

Fixes #256