Disable JWT Lifetime Check

[jpspringall]

Hi,

We are facing an issue where some our users have the local times set massively wrong (Some are years out)

This means that they face a JWT lifetime validity error.

We could use a massive clock skew,
but as the JWT lifetime validation doesn't really add anything from a security perspective,
as you can get round it by changing the local time,
I wondered what the appetite was introducing an option to disable it,
similiar to the ignoreSignature option.

So in file:
lib/oidc/util/validateClaims.ts

if (validationParams.ignoreLifeTime == true) {
    if (now - sdk.options.maxClockSkew > claims.exp) {
      throw new AuthSdkError("The JWT expired and is no longer valid");
    }

    if (claims.iat > now + sdk.options.maxClockSkew) {
      throw new AuthSdkError("The JWT was issued in the future");
    }
}

Happy to do the work, but wanted to make sure it would be accepted first :-)

Cheers

James

[aarongranick-okta]

@jpspringall Thanks for the suggestion. I do think this would be a good option, to skip the time-based check (which as you point out can be easily gamed) but continue with the signature check which is much harder to fake. I have created a new id for tracking/prioritizing this work: OKTA-415796

The relevant code seems to be here on the issue, so there is no need to open a PR yourself unless you'd like to add tests/documentation as well :)

[jpspringall]

Hi @aarongranick-okta

More than happy to do the work as means it might into a release sooner :-)

Cheers

J

[jpspringall]

Hi @aarongranick-okta, I do have a question:

I did a search for 'ignoreSignature', and got results in the following files:

lib\options.ts:
lib\TransactionManager.ts:
lib\idx\run.ts:
lib\idx\transactionMeta.ts:
lib\oidc\exchangeCodeForTokens.ts:
lib\oidc\getWithRedirect.ts:
lib\oidc\handleOAuthResponse.ts:
lib\oidc\verifyToken.ts:
lib\oidc\util\defaultTokenParams.ts:
lib\types\api.ts:
lib\types\OktaAuthOptions.ts:
lib\types\Transaction.ts:

but maxClockSkew is only found in the following files:
lib\OktaAuth.ts:
lib\oidc\util\validateClaims.ts:
lib\types\OktaAuthOptions.ts:

From a brief look, it looks like ignoreSignature is also used in the new idx functionality, redirections and the transaction manager, so may not be applicable to maxClockSkew, just confirming that something hasn't been missed?

As the foot print of maxClockSkew is far smaller, to avoid extra work I'm introducing the new option wherever maxClockSkew is used.

On a completely different note, what formatting tool do you use?
I use prettier, but as there isn't a prettier.rc file, I cause carnage whenever i save a file :-)

Cheers

J

[jpspringall]

@aarongranick-okta PR is here: https://github.com/okta/okta-auth-js/pull/885

[shuowu]

Released in v5.5.0.