JWT: require valid exp claim by default

Users of JWT rightly expect tokens to be considered invalid once they expire. It is a surprise to some that this requires a change to the default configuration. In the interest of security we will now require a valid `exp` claim in tokens. Administrators can disable the check by changing `required_claims` back to the empty string. We do not add `nbf` as a required claim as it seems to not be set often in practice. closes #5046
apache · May 16, 2024 · b8a8e79 · b8a8e79
1 parent 7e5e0ac
commit b8a8e79
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 2 deletions.
diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini
@@ -225,7 +225,10 @@ bind_address = 127.0.0.1
 ; List of claims to validate
 ; can be the name of a claim like "exp" or a tuple if the claim requires
 ; a parameter
-;required_claims = exp, {iss, "IssuerNameHere"}
+; Example:
+; required_claims = exp, nbf, {iss, "MyCompany"}
+; default value if not set;
+;required_claims = exp
 
 ; roles_claim_name is marked as deprecated. Please use roles_claim_path instead!
 ; Values for ``roles_claim_name`` can only be top-level attributes in the JWT

diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
@@ -306,7 +306,7 @@ get_roles_claim(Claims) ->
     end.
 
 get_configured_claims() ->
-    Claims = config:get("jwt_auth", "required_claims", ""),
+    Claims = config:get("jwt_auth", "required_claims", "exp"),
     Re = "((?<key1>[a-z]+)|{(?<key2>[a-z]+)\s*,\s*\"(?<val>[^\"]+)\"})",
     case re:run(Claims, Re, [global, {capture, [key1, key2, val], binary}]) of
         nomatch when Claims /= "" ->

diff --git a/src/docs/src/whatsnew/3.4.rst b/src/docs/src/whatsnew/3.4.rst
@@ -0,0 +1,44 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _release/3.4.x:
+
+============
+3.4.x Branch
+============
+
+.. contents::
+    :depth: 1
+    :local:
+
+.. _release/3.4.0:
+
+Version 3.4.0
+=============
+
+* JWT: require valid `exp` claim by default
+
+.. _release/3.4.x/breakingchanges:
+
+Breaking Changes
+================
+
+* :ghissue:`5046`: JWT: require valid `exp` claim by default
+
+  Users of JWT rightly expect tokens to be considered invalid once they expire. It
+  is a surprise to some that this requires a change to the default
+  configuration. In the interest of security we will now require a valid `exp`
+  claim in tokens. Administrators can disable the check by changing
+  `required_claims` back to the empty string.
+
+  We recommend adding `nbf` as a required claim if you know your tokens  will
+  include it.
diff --git a/src/docs/src/whatsnew/index.rst b/src/docs/src/whatsnew/index.rst
@@ -20,6 +20,7 @@ Release Notes
     :glob:
     :maxdepth: 2
 
+    3.4
     3.3
     3.2
     3.1