OidcAuthorizationCodeAuthenticationProvider maxIssuedAt

[marcosjunqueira]

Summary

When I config oauth2 for google and login, get an invalid_id_token exception.

Actual Behavior

So I decided to debug, but on debug mode it works.

Expected Behavior

Success login with google without debug.

Configuration

security:
oauth2:
client:
registration:
google:
client-id: {client_id}
client-secret: {secret_id}

Version

5.0.3.RELEASE

Sample fail

Instant maxIssuedAt = Instant.now().plusSeconds(30);
if (issuedAt.isAfter(maxIssuedAt)) {
// breakpoint here --> this.throwInvalidIdTokenException();
}

issuedAt = 2018-03-30T22:13:07Z
maxIssuedAt = 2018-03-30T22:13:05.302Z

Sample works

// breakpoint here and wait -->Instant maxIssuedAt = Instant.now().plusSeconds(30);
if (issuedAt.isAfter(maxIssuedAt)) {
this.throwInvalidIdTokenException();
}

issuedAt = 2018-03-30T22:16:22Z
maxIssuedAt = 2018-03-30T22:16:27.326Z
and successfull login

[marcosjunqueira]

My sugestion
if (Math.abs(maxIssuedAt.until(issuedAt, ChronoUnit.SECONDS)) > 30) {
this.throwInvalidIdTokenException();
}

[jgrandja]

@marcosjunqueira I cannot reproduce the issue you are having. I've tested google login numerous times and never had this issue.

Looking at those times:

issuedAt -> 2018-03-30T22:13:07Z
maxIssuedAt -> 2018-03-30T22:13:05.302Z

issuedAt is what comes back from Google and it's 10:13pm 7 secs.

maxIssuedAt is calculated as current-time + 30 secs so if the clocks are in sync with Google and the computer where you are testing than the time would be approx. 10:13pm 37 secs. However, the time you have there is 10:13pm 5 secs, which is behind the issuedAt time.

Looks like the clock is not in sync with Google time or Global time. Try adjusting the time on the computer where you are testing. I think that will do it.

[marcosjunqueira]

Hi @jgrandja I tried to config the Google NTP, but aparently it doesn't sync secs (strange behavior). If i adjust seconds manualy it works.

10. The iat Claim can be used to reject tokens that were issued too far away from the current time...

Thinking about this definition, would not it be interesting to restrict this time both before and after the server's current time?

For example, if you stay in debug mode for 10 minutes before the system obtains the current time, it will allow authentication. And 10 minutes, for me, is too far away from current time.

[marcosjunqueira]

sync time with time.google.com and got this

Instant.now() = 2018-04-04T22:18:25.513Z
maxIssuedAt = 2018-04-04T22:18:55.513Z
issuedAt = 2018-04-04T22:19:02Z

Set the time manually (plus 30 secs), and it worked.

[jgrandja]

@marcosjunqueira

Thinking about this definition, would not it be interesting to restrict this time both before and after the server's current time?

Our primary goal is to be spec compliant and therefore we've implemented this validation check as documented in ID Token Validation.

For example, if you stay in debug mode for 10 minutes before the system obtains the current time, it will allow authentication. And 10 minutes, for me, is too far away from current time.

Sitting in debug mode is not a real-world scenario. When an OpenID Connect flow is triggered it happens fairly quickly - it will not take 10 mins to complete...more like a few seconds. If it took longer than 30 seconds, for example, than likely a Network I/O error will occur and login will fail anyway at which point the ID Token would never have been received by the client.

I'm going to close this issue as you seemed to have resolved the clock sync issue.

Thank you for your feedback!