Clock skew tolerance for oidc token validation (#2482) (#2521)

(cherry picked from commit 9cce399) Co-authored-by: Andrea Pasqualini <[email protected]>
opensearch-project · Mar 8, 2023 · e680ff1 · e680ff1
1 parent 3f467f9
commit e680ff1
Show file tree

Hide file tree

Showing 5 changed files with 91 additions and 6 deletions.
diff --git a/securityconfig/config.yml b/securityconfig/config.yml
@@ -131,6 +131,7 @@ config:
             signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
             jwt_header: "Authorization"
             jwt_url_parameter: null
+            jwt_clock_skew_tolerance_seconds: 30
             roles_key: null
             subject_key: null
         authentication_backend:

diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java
@@ -61,16 +61,20 @@ public abstract class AbstractHTTPJwtAuthenticator implements HTTPAuthenticator
     private final String subjectKey;
     private final String rolesKey;
 
+    public static final int DEFAULT_CLOCK_SKEW_TOLERANCE_SECONDS = 30;
+    private final int clockSkewToleranceSeconds ;
+
     public AbstractHTTPJwtAuthenticator(Settings settings, Path configPath) {
         jwtUrlParameter = settings.get("jwt_url_parameter");
         jwtHeaderName = settings.get("jwt_header", HttpHeaders.AUTHORIZATION);
         isDefaultAuthHeader = HttpHeaders.AUTHORIZATION.equalsIgnoreCase(jwtHeaderName);
         rolesKey = settings.get("roles_key");
         subjectKey = settings.get("subject_key");
+        clockSkewToleranceSeconds = settings.getAsInt("jwt_clock_skew_tolerance_seconds", DEFAULT_CLOCK_SKEW_TOLERANCE_SECONDS);
 
         try {
             this.keyProvider = this.initKeyProvider(settings, configPath);
-            jwtVerifier = new JwtVerifier(keyProvider);
+            jwtVerifier = new JwtVerifier(keyProvider, clockSkewToleranceSeconds );
 
         } catch (Exception e) {
             log.error("Error creating JWT authenticator. JWT authentication will not work", e);

diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/JwtVerifier.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/JwtVerifier.java
@@ -37,9 +37,11 @@ public class JwtVerifier {
 	private final static Logger log = LogManager.getLogger(JwtVerifier.class);
 
 	private final KeyProvider keyProvider;
+	private final int clockSkewToleranceSeconds;
 
-	public JwtVerifier(KeyProvider keyProvider) {
+	public JwtVerifier(KeyProvider keyProvider, int clockSkewToleranceSeconds ) {
 		this.keyProvider = keyProvider;
+		this.clockSkewToleranceSeconds = clockSkewToleranceSeconds;
 	}
 
 	public JwtToken getVerifiedJwtToken(String encodedJwt) throws BadCredentialsException {
@@ -113,8 +115,8 @@ private void validateClaims(JwtToken jwt) throws BadCredentialsException, JwtExc
 		JwtClaims claims = jwt.getClaims();
 
 		if (claims != null) {
-			JwtUtils.validateJwtExpiry(claims, 0, false);
-			JwtUtils.validateJwtNotBefore(claims, 0, false);
+			JwtUtils.validateJwtExpiry(claims, clockSkewToleranceSeconds, false);
+			JwtUtils.validateJwtNotBefore(claims, clockSkewToleranceSeconds, false);
 		}
 	}
 }
diff --git a/...a/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticatorTest.java b/...a/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticatorTest.java
@@ -12,7 +12,6 @@
  *  express or implied. See the License for the specific language governing
  *  permissions and limitations under the License.
  */
-
 package com.amazon.dlic.auth.http.jwt.keybyoidc;
 
 import java.util.HashMap;
@@ -117,15 +116,83 @@ public void testExp() throws Exception {
 		Settings settings = Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri()).build();
 
 		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
-
+		
 		AuthCredentials creds = jwtAuth.extractCredentials(
 				new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_COY_EXPIRED_SIGNED_OCT_1),
 						new HashMap<String, String>()),
 				null);
 
 		Assert.assertNull(creds);
+	}	
+
+	@Test
+	public void testExpInSkew() throws Exception {
+		Settings settings = Settings.builder()
+			.put("openid_connect_url", mockIdpServer.getDiscoverUri())
+			.put("jwt_clock_skew_tolerance_seconds", "10")
+			.build();
+
+		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
+
+		long expiringDate = System.currentTimeMillis()/1000-5;
+		long notBeforeDate = System.currentTimeMillis()/1000-25;
+
+		AuthCredentials creds = jwtAuth.extractCredentials(
+			new FakeRestRequest(
+				ImmutableMap.of(
+					"Authorization", 
+					"bearer "+TestJwts.createMcCoySignedOct1(notBeforeDate, expiringDate)),
+				new HashMap<String, String>()),
+			null);
+
+		Assert.assertNotNull(creds);
 	}
 
+	@Test
+	public void testNbf() throws Exception {
+		Settings settings = Settings.builder()
+			.put("openid_connect_url", mockIdpServer.getDiscoverUri())
+			.put("jwt_clock_skew_tolerance_seconds", "0")
+			.build();
+
+		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
+
+		long expiringDate = 20+System.currentTimeMillis()/1000;
+		long notBeforeDate = 5+System.currentTimeMillis()/1000;
+
+		AuthCredentials creds = jwtAuth.extractCredentials(
+			new FakeRestRequest(
+				ImmutableMap.of(
+					"Authorization", 
+					"bearer "+TestJwts.createMcCoySignedOct1(notBeforeDate, expiringDate)),
+				new HashMap<String, String>()),
+			null);
+
+		Assert.assertNull(creds);
+	}
+
+	@Test
+	public void testNbfInSkew() throws Exception {
+		Settings settings = Settings.builder()
+			.put("openid_connect_url", mockIdpServer.getDiscoverUri())
+			.put("jwt_clock_skew_tolerance_seconds", "10")
+			.build();
+
+		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
+
+		long expiringDate = 20+System.currentTimeMillis()/1000;
+		long notBeforeDate = 5+System.currentTimeMillis()/1000;;
+
+		AuthCredentials creds = jwtAuth.extractCredentials(
+				new FakeRestRequest(
+						ImmutableMap.of("Authorization", "bearer "+TestJwts.createMcCoySignedOct1(notBeforeDate, expiringDate)),
+						new HashMap<String, String>()),
+				null);
+
+		Assert.assertNotNull(creds);
+	}	
+
+
 	@Test
 	public void testRS256() throws Exception {
 

diff --git a/src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/TestJwts.java b/src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/TestJwts.java
@@ -110,4 +110,15 @@ static String createSignedWithPeculiarEscaping(JwtToken baseJwt, JsonWebKey jwk)
 		return new JoseJwtProducer().processJwt(signedToken, null, signatureProvider);
 	}
 
+	static String createMcCoySignedOct1(long nbf, long exp)
+	{
+		JwtToken jwt_token = create(
+			MCCOY_SUBJECT, TEST_AUDIENCE, 
+			ROLES_CLAIM, TEST_ROLES_STRING, 
+			JwtConstants.CLAIM_NOT_BEFORE, nbf, 
+			JwtConstants.CLAIM_EXPIRY, exp);
+
+		return createSigned(jwt_token, TestJwk.OCT_1);
+	}
+
 }