Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: added AuthConfig.skipIatCheck flag #1454

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
feat: added AuthConfig.skipIatCheck flag
Jorge García committed Nov 22, 2024
commit 9d09f0cf4148f96f2e1197b5e984c80d6d4753e2
5 changes: 5 additions & 0 deletions projects/lib/src/auth.config.ts
Original file line number Diff line number Diff line change
@@ -212,6 +212,11 @@ export class AuthConfig {
*/
public skipIssuerCheck? = false;

/**
* Defined whether to skip the validation of the IAT claim in ID Token.
*/
public skipIatCheck? = false;

/**
* According to rfc6749 it is recommended (but not required) that the auth
* server exposes the access_token's life time in seconds.
34 changes: 19 additions & 15 deletions projects/lib/src/oauth-service.ts
Original file line number Diff line number Diff line change
@@ -155,7 +155,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
} catch (e) {
console.error(
'No OAuthStorage provided and cannot access default (sessionStorage).' +
'Consider providing a custom OAuthStorage implementation in your module.',
'Consider providing a custom OAuthStorage implementation in your module.',
e
);
}
@@ -339,7 +339,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
if (!issuerCheck) {
errors.push(
'Every url in discovery document has to start with the issuer url.' +
'Also see property strictDiscoveryDocumentValidation.'
'Also see property strictDiscoveryDocumentValidation.'
);
}

@@ -700,7 +700,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
if (this.sessionChecksEnabled && !doc.check_session_iframe) {
this.logger.warn(
'sessionChecksEnabled is activated but discovery document' +
' does not contain a check_session_iframe field'
' does not contain a check_session_iframe field'
);
}

@@ -894,7 +894,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
tokenResponse.access_token,
tokenResponse.refresh_token,
tokenResponse.expires_in ||
this.fallbackAccessTokenExpirationTimeInSec,
this.fallbackAccessTokenExpirationTimeInSec,
tokenResponse.scope,
this.extractRecognizedCustomParameters(tokenResponse)
);
@@ -988,7 +988,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
tokenResponse.access_token,
tokenResponse.refresh_token,
tokenResponse.expires_in ||
this.fallbackAccessTokenExpirationTimeInSec,
this.fallbackAccessTokenExpirationTimeInSec,
tokenResponse.scope,
this.extractRecognizedCustomParameters(tokenResponse)
);
@@ -1914,7 +1914,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
tokenResponse.access_token,
tokenResponse.refresh_token,
tokenResponse.expires_in ||
this.fallbackAccessTokenExpirationTimeInSec,
this.fallbackAccessTokenExpirationTimeInSec,
tokenResponse.scope,
this.extractRecognizedCustomParameters(tokenResponse)
);
@@ -2022,8 +2022,8 @@ export class OAuthService extends AuthConfig implements OnDestroy {
if (this.sessionChecksEnabled && !sessionState) {
this.logger.warn(
'session checks (Session Status Change Notification) ' +
'were activated in the configuration but the id_token ' +
'does not contain a session_state claim'
'were activated in the configuration but the id_token ' +
'does not contain a session_state claim'
);
}

@@ -2223,7 +2223,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
return Promise.reject(err);
}

if (!claims.iat) {
if (!this.skipIatCheck && !claims.iat) {
const err = 'No iat claim in id_token';
this.logger.warn(err);
return Promise.reject(err);
@@ -2266,7 +2266,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
const clockSkewInMSec = this.getClockSkewInMsec(); // (this.getClockSkewInMsec() || 600) * 1000;

if (
issuedAtMSec - clockSkewInMSec >= now ||
this.isIatClaimValid(issuedAtMSec, clockSkewInMSec, now) ||
expiresAtMSec + clockSkewInMSec - this.decreaseExpirationBySec <= now
) {
const err = 'Token has expired';
@@ -2336,6 +2336,10 @@ export class OAuthService extends AuthConfig implements OnDestroy {
});
}

private isIatClaimValid(issuedAtMSec: number, clockSkewInMSec: number, now: number) {
return this.skipIatCheck || issuedAtMSec - clockSkewInMSec >= now;
}

/**
* Returns the received claims about the user.
*/
@@ -2424,7 +2428,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
if (
expiresAt &&
parseInt(expiresAt, 10) - this.decreaseExpirationBySec <
now.getTime() - this.getClockSkewInMsec()
now.getTime() - this.getClockSkewInMsec()
) {
return false;
}
@@ -2445,7 +2449,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
if (
expiresAt &&
parseInt(expiresAt, 10) - this.decreaseExpirationBySec <
now.getTime() - this.getClockSkewInMsec()
now.getTime() - this.getClockSkewInMsec()
) {
return false;
}
@@ -2461,9 +2465,9 @@ export class OAuthService extends AuthConfig implements OnDestroy {
*/
public getCustomTokenResponseProperty(requestedProperty: string): any {
return this._storage &&
this.config.customTokenParameters &&
this.config.customTokenParameters.indexOf(requestedProperty) >= 0 &&
this._storage.getItem(requestedProperty) !== null
this.config.customTokenParameters &&
this.config.customTokenParameters.indexOf(requestedProperty) >= 0 &&
this._storage.getItem(requestedProperty) !== null
? JSON.parse(this._storage.getItem(requestedProperty))
: null;
}