Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Module accepts any issuer and expiration #50

Open
Jojo-IO opened this issue Feb 20, 2021 · 3 comments
Open

Module accepts any issuer and expiration #50

Jojo-IO opened this issue Feb 20, 2021 · 3 comments

Comments

@Jojo-IO
Copy link

Jojo-IO commented Feb 20, 2021

Installing the newest version from source and using e.g. the minimal configuration from the readme, the module accepts just any value given as AuthJWTIss and does not mind the expiration time. Access is only denied if the token is completely wrong.
@Jojo-IO
Copy link
Author

Jojo-IO commented Feb 22, 2021

It was a misconfiguration of the token. iss and exp was in the header instead of the payload. But I'm not sure a token should be accepted as valid when AuthJWTIss / AuthJWTExpDelay is set, but iss / exp is missing.

@AnthonyDeroche
Copy link
Owner

The AuthJWTExpDelay and AuthJWTIss are only used to issue tokens.

However, it is a good point. If there is a configured issuer and expiration delay, it's important to validate them afterwards. I will have a look on the code to check this behavior.

Any pull request is welcome.

Anthony

@MinePlugins
Copy link

Hello,

Any news on this ?

Do you plan to work on ?

Thank's you in advance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AnthonyDeroche @MinePlugins @Jojo-IO