search

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server
https://oauth2.thephpleague.com
MIT License
6.49k stars 1.12k forks source link

BearerTokenValidator::validateAuthorization requires the JWT to have the 'Not Before' claim #1287

Closed goldi80 closed 1 year ago

goldi80 commented 2 years ago

With commit 07bdaeb the deprecated Constraint Lcobucci\JWT\Validation\Constraint\ValidAt is replaced with the newer Lcobucci\JWT\Validation\Constraint\StrictValidAt. This replacement broke our authentication as our tokens (provided by a third party system) do not contain the optional claim 'Not Before' (RFC 7519 - JSON Web Token (JWT) -- nbf).

In fact, the correct replacement for the deprecated constraint is Lcobucci\JWT\Validation\Constraint\LooseValidAt which also does not require the nbf claim.

Unfortunately, there seems to be no obvious way how to configure which constraints should be checked by BearerTokenValidator.

Sephster commented 1 year ago

Hello. Thanks for reporting this and sorry for the delayed response. When I replaced this I checked and our default access token issues an nbf claim so I didn't expect this to be an issue sorry.

Can I ask why you aren't issuing the tokens with this library or why you can't add the nbf claim in to your third party provider so I can better understand the issue.

The easiest way for you to fix this would be to provide your own BearerTokenValidator implementation. You can pass this in to the constructor of your ResourceServer - as long as it implements the AuthorizationValidator interface, it will be accepted. Hope this helps and sorry for the delay in getting back to you

goldi80 commented 1 year ago

Thanks for your reply. We're not creating the tokens with this library because the system using it to validate the tokens is only a small building block in the ecosystem of our company. There are many different systems validating tokens issued by a central system. The colleagues managing the token creation service are of the opinion, that an optional thing shouldn't be mandatory.

In fact, passing in our own token validator is the 'workaround' we've implemented right now. But to honest, we want to get rid of this customization.

Sephster commented 1 year ago

I've checked the docs and looks like looseValidAt will check nbf if it is present so that seems to be the best of both worlds. Users can still be assured nbf is checked if the token is issued via the library so happy to make this adjustment. Will try and get this implemented this week. Thanks for flagging it!

goldi80 commented 1 year ago

Thanks for adjusting this. I'm really looking forward to receive this update.

Sephster commented 1 year ago

Fixed and apologies for the delay. Thanks again for raising this