search

ory / hydra

OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Works with Hardware Security Modules. Compatible with MITREid.
https://www.ory.sh/hydra/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
15.27k stars 1.47k forks source link

updated_at not using Unix timestamp (in seconds) but in milliseconds #3785

Open IchordeDionysos opened 1 week ago

IchordeDionysos commented 1 week ago

Preflight checklist

Ory Network Project

https://inspiring-hopper-b5cn7ocqrx.projects.oryapis.com

Describe the bug

I've been running OIDC conformance tests using Ory Hydra (hosted on Ory network) and it seems like the user info endpoint (https://inspiring-hopper-b5cn7ocqrx.projects.oryapis.com/userinfo) returns all timestamps as Unix timestamp in seconds (rat, auth_time, iat) but updated_at as Unix timestamp in milliseconds (as JS does it).

This leads to the test to fail with the error:

updated_at in userinfo appears to be in the future updated_at: Dec 25, 52671, 12:26:40 AM now: Jun 24, 2024, 8:10:37 PM

{
  "amr": [
    "oidc"
  ],
  "aud": [
    "00000000-0000-0000-0000-000000000000"
  ],
  "auth_time": 1700000000,
  "iat": 1700000000,
  "iss": "https://inspiring-hopper-b5cn7ocqrx.projects.oryapis.com",
  "name": "Firstname Lastname",
  "rat": 1700000000,
  "sub": "00000000-0000-0000-0000-000000000000",
  "updated_at": 1600000000000
}

I was using the Test variant: 

client_auth_type=client_secret_basic, server_metadata=static, response_type=code, response_mode=default, client_registration=static_client

Reproducing the bug

  1. Create a new OAuth2 Client in Ory.
    1. Grant at least the scopes openid and profile
    2. Select all grant types (maybe less are also possible ?!)
    3. Select all response types (maybe less are also possible ?!)
    4. Select access token type JWT (maybe others are also possible ?!)
    5. Select Authentication Method HTTP Basic Authorization
    6. Rest can be empty, create an keep track of the secret
  2. Create test plan on https://www.certification.openid.net/
    1. Go to "Create a new test plan"
    2. Select the "OpenID Connect Core: Basic Certification Profile Authorization server test" test case
    3. Use Server metadata location: "static"
    4. Use Client Registration Type: "static_client"
    5. Use issuer: https://[slug].projects.oryapis.com
    6. Use jwks_uri: https://[slug].projects.oryapis.com/.well-known/jwks.json
    7. Use authorization_endpoint: https://[slug].projects.oryapis.com/oauth2/auth
    8. Use token_endpoint: https://[slug].projects.oryapis.com/oauth2/token
    9. Use userinfo_endpoint: https://[slug].projects.oryapis.com/userinfo
    10. Use the Ory generated client_id (for both client and client for client_secret_post)
    11. Use the previously generated client secret (for both client and client for client_secret_post)
    12. Click "Create test plan"
  3. On the newly created test plan:
    1. Go to the test "Test Name: oidcc-scope-profile"
    2. Click "Run test"
    3. Copy the redirect URI from the URI shown when being prompted for browser interaction
    4. Add the redirect URI as allowed redirect URI in the OAuth2 client in Ory
    5. Don't forget to click "save"
    6. Click "Proceed with test"
    7. Sign-in using one of the configured login methods.
    8. When prompted for OIDC permissions to grant, allow both openid and profile
    9. Click "Allow"
    10. Go back to the test which should not be completed with an error
image

Relevant log output

No response

Relevant configuration

No response

Version

1.2.0

On which operating system are you observing this issue?

Ory Network

In which environment are you deploying?

Ory Network

Additional Context

No response