fix: ensure jwt replay detection takes clockTolerance into account

panva · Apr 20, 2022 · f167233 · f167233
1 parent 3fca22b
commit f167233
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/lib/actions/authorization/process_request_object.js b/lib/actions/authorization/process_request_object.js
@@ -231,7 +231,7 @@ module.exports = async function processRequestObject(PARAM_LIST, rejectDupesMidd
 
     if (route !== 'pushed_authorization_request' && payload.jti && payload.exp && payload.iss) {
       const unique = await ctx.oidc.provider.ReplayDetection.unique(
-        payload.iss, payload.jti, payload.exp,
+        payload.iss, payload.jti, payload.exp + conf.clockTolerance,
       );
 
       if (!unique) {

diff --git a/lib/shared/token_jwt_auth.js b/lib/shared/token_jwt_auth.js
@@ -3,6 +3,7 @@ const instance = require('../helpers/weak_cache');
 const JWT = require('../helpers/jwt');
 
 module.exports = function getTokenJwtAuth(provider) {
+  const clockTolerance = instance(provider).configuration('clockTolerance');
   return async function tokenJwtAuth(ctx, keystore, algorithms) {
     const acceptedAud = ctx.oidc.clientJwtAuthExpectedAudience();
     const { header, payload } = JWT.decode(ctx.oidc.params.client_assertion);
@@ -41,14 +42,16 @@ module.exports = function getTokenJwtAuth(provider) {
 
     try {
       await JWT.verify(ctx.oidc.params.client_assertion, keystore, {
-        clockTolerance: instance(provider).configuration('clockTolerance'),
+        clockTolerance,
         ignoreAzp: true,
       });
     } catch (err) {
       throw new InvalidClientAuth(err.message);
     }
 
-    const unique = await provider.ReplayDetection.unique(payload.iss, payload.jti, payload.exp);
+    const unique = await provider.ReplayDetection.unique(
+      payload.iss, payload.jti, payload.exp + clockTolerance,
+    );
 
     if (!unique) {
       throw new InvalidClientAuth('client assertion tokens must only be used once');