Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove iat claim value check #223

Merged
merged 1 commit into from
Jun 30, 2020
Merged

Remove iat claim value check #223

merged 1 commit into from
Jun 30, 2020

Conversation

lbalmaceda
Copy link
Contributor

Changes

According to the spec, checking this value should be optional. Presence check however is not. That remains.

References

https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.

Testing

  • This change adds unit test coverage
  • This change adds integration test coverage
  • This change has been tested on the latest version of the platform/language or why not

Checklist

@lbalmaceda lbalmaceda added this to the v3-Next milestone Jun 29, 2020
@lbalmaceda lbalmaceda requested a review from a team June 29, 2020 21:14
@lbalmaceda lbalmaceda merged commit 1d895a7 into master Jun 30, 2020
@lbalmaceda lbalmaceda deleted the rm-iat branch June 30, 2020 13:06
@lbalmaceda lbalmaceda modified the milestones: v3-Next, 3.12.0 Jul 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Widcket Widcket Widcket approved these changes

Assignees
No one assigned
Labels
CH: Changed small Small review
Projects
None yet
Milestone
3.12.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lbalmaceda @Widcket