openid: Resolves timing issues by setting now to the future (#270)

ory · May 19, 2018 · e9339d7 · e9339d7
1 parent eee3dad
commit e9339d7
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/handler/openid/strategy_jwt.go b/handler/openid/strategy_jwt.go
@@ -146,9 +146,14 @@ func (h DefaultStrategy) GenerateIDToken(_ context.Context, requester fosite.Req
 			maxAge = 0
 		}
 
+		// Adds a bit of wiggle room for timing issues
+		if claims.AuthTime.After(time.Now().UTC().Add(time.Second * 5)) {
+			return "", errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because authentication time is in the future"))
+		}
+
 		if maxAge > 0 {
-			if claims.AuthTime.IsZero() || claims.AuthTime.After(time.Now().UTC()) {
-				return "", errors.WithStack(fosite.ErrServerError.WithDebug("Failed to generate id token because authentication time claim is required when max_age is set and can not be in the future"))
+			if claims.AuthTime.IsZero() {
+				return "", errors.WithStack(fosite.ErrServerError.WithDebug("Failed to generate id token because authentication time claim is required when max_age is set"))
 			} else if claims.AuthTime.Add(time.Second * time.Duration(maxAge)).Before(time.Now().UTC()) {
 				return "", errors.WithStack(fosite.ErrServerError.WithDebug("Failed to generate id token because authentication time does not satisfy max_age time"))
 			}

diff --git a/handler/openid/validator.go b/handler/openid/validator.go
@@ -107,13 +107,14 @@ func (v *OpenIDConnectRequestValidator) ValidatePrompt(req fosite.AuthorizeReque
 		return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because session subject is empty"))
 	}
 
-	if claims.AuthTime.After(time.Now().UTC()) {
+	// Adds a bit of wiggle room for timing issues
+	if claims.AuthTime.After(time.Now().UTC().Add(time.Second * 5)) {
 		return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because authentication time is in the future"))
 	}
 
 	if maxAge > 0 {
 		if claims.AuthTime.IsZero() {
-			return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because authentication time claim is required when max_age is set and can not be in the future"))
+			return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because authentication time claim is required when max_age is set"))
 		} else if claims.AuthTime.Add(time.Second * time.Duration(maxAge)).Before(time.Now()) {
 			return errors.WithStack(fosite.ErrLoginRequired.WithDebug("Failed to validate OpenID Connect request because authentication time does not satisfy max_age time"))
 		}