openid: Improves validation errors and uses UTC everywhere (#269)

ory · May 19, 2018 · eee3dad · eee3dad
1 parent 7ccad77
commit eee3dad
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 8 deletions.
diff --git a/handler/openid/strategy_jwt.go b/handler/openid/strategy_jwt.go
@@ -147,16 +147,16 @@ func (h DefaultStrategy) GenerateIDToken(_ context.Context, requester fosite.Req
 		}
 
 		if maxAge > 0 {
-			if claims.AuthTime.IsZero() || claims.AuthTime.After(time.Now()) {
+			if claims.AuthTime.IsZero() || claims.AuthTime.After(time.Now().UTC()) {
 				return "", errors.WithStack(fosite.ErrServerError.WithDebug("Failed to generate id token because authentication time claim is required when max_age is set and can not be in the future"))
-			} else if claims.AuthTime.Add(time.Second * time.Duration(maxAge)).Before(time.Now()) {
+			} else if claims.AuthTime.Add(time.Second * time.Duration(maxAge)).Before(time.Now().UTC()) {
 				return "", errors.WithStack(fosite.ErrServerError.WithDebug("Failed to generate id token because authentication time does not satisfy max_age time"))
 			}
 		}
 
 		prompt := requester.GetRequestForm().Get("prompt")
 		if prompt != "" {
-			if claims.AuthTime.IsZero() || claims.AuthTime.After(time.Now()) {
+			if claims.AuthTime.IsZero() || claims.AuthTime.After(time.Now().UTC()) {
 				return "", errors.WithStack(fosite.ErrServerError.WithDebug("Unable to determine validity of prompt parameter because auth_time is missing in id token claims"))
 			}
 		}

diff --git a/handler/openid/validator.go b/handler/openid/validator.go
@@ -107,8 +107,12 @@ func (v *OpenIDConnectRequestValidator) ValidatePrompt(req fosite.AuthorizeReque
 		return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because session subject is empty"))
 	}
 
+	if claims.AuthTime.After(time.Now().UTC()) {
+		return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because authentication time is in the future"))
+	}
+
 	if maxAge > 0 {
-		if claims.AuthTime.IsZero() || claims.AuthTime.After(time.Now()) {
+		if claims.AuthTime.IsZero() {
 			return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because authentication time claim is required when max_age is set and can not be in the future"))
 		} else if claims.AuthTime.Add(time.Second * time.Duration(maxAge)).Before(time.Now()) {
 			return errors.WithStack(fosite.ErrLoginRequired.WithDebug("Failed to validate OpenID Connect request because authentication time does not satisfy max_age time"))

diff --git a/handler/openid/validator_test.go b/handler/openid/validator_test.go
@@ -143,8 +143,8 @@ func TestValidatePrompt(t *testing.T) {
 				Subject: "foo",
 				Claims: &jwt.IDTokenClaims{
 					Subject:     "foo",
-					RequestedAt: time.Now().UTC(),
-					AuthTime:    time.Now().UTC().Add(time.Second),
+					RequestedAt: time.Now().UTC().Add(-time.Second*5),
+					AuthTime:    time.Now().UTC().Add(-time.Second),
 				},
 			},
 		},
@@ -157,8 +157,8 @@ func TestValidatePrompt(t *testing.T) {
 				Subject: "foo",
 				Claims: &jwt.IDTokenClaims{
 					Subject:     "foo",
-					RequestedAt: time.Now().UTC(),
-					AuthTime:    time.Now().UTC().Add(time.Second),
+					RequestedAt: time.Now().UTC().Add(-time.Second*5),
+					AuthTime:    time.Now().UTC().Add(-time.Second),
 				},
 			},
 		},