github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Added check for token NotBefore 

Added timeSkewAllowance magic
pull/210/head
Stephen Moore 2012-08-28 15:41:59 -04:00
parent bc0ee4cbab
commit e8eaf48efd
1 changed files with 22 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java
View File

@ -77,7 +77,9 @@ public class AbstractOIDCAuthenticationFilter extends
protected final static String DEFAULT_SCOPE = "openid";
protected final static String FILTER_PROCESSES_URL = "/openid_connect_login";
// Allow for time sync issues by having a window of X seconds.
private int timeSkewAllowance = 300;
private Map<OIDCServerConfiguration, JwtSigningAndValidationService> validationServices = new HashMap<OIDCServerConfiguration, JwtSigningAndValidationService>();
@ -370,12 +372,20 @@ public class AbstractOIDCAuthenticationFilter extends
throw new AuthenticationServiceException("Id Token does not have required expiration claim");
} else {
// it's not null, see if it's expired
Date now = new Date();
Date now = new Date(System.currentTimeMillis() - (timeSkewAllowance * 1000));
if (now.after(idClaims.getExpiration())) {
throw new AuthenticationServiceException("Id Token is expired: " + idClaims.getExpiration());
}
}
// check not before
if (idClaims.getNotBefore() != null) {
Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
if (now.before(idClaims.getNotBefore())){
throw new AuthenticationServiceException("Id Token not valid untill: " + idClaims.getNotBefore());
}
}
// check audience
if (idClaims.getAudience() == null) {
throw new AuthenticationServiceException("Id token audience is null");
@ -388,7 +398,7 @@ public class AbstractOIDCAuthenticationFilter extends
throw new AuthenticationServiceException("Id Token does not have required issued-at claim");
} else {
// since it's not null, see if it was issued in the future
Date now = new Date();
Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
if (now.before(idClaims.getIssuedAt())) {
throw new AuthenticationServiceException("Id Token was issued in the future: " + idClaims.getIssuedAt());
}
@ -652,4 +662,13 @@ public class AbstractOIDCAuthenticationFilter extends
Map<OIDCServerConfiguration, JwtSigningAndValidationService> validationServices) {
this.validationServices = validationServices;
}
public int getTimeSkewAllowance() {
return timeSkewAllowance;
}
public void setTimeSkewAllowance(int timeSkewAllowance) {
this.timeSkewAllowance = timeSkewAllowance;
}
}