Skip to content

Commit

Permalink
feat(jans-auth-server): added to par extra nbf and exp (for 60min) va…
Browse files Browse the repository at this point in the history
…lidation

#824
  • Loading branch information
yuriyz committed Feb 17, 2022
1 parent b9dbfb5 commit 5f109ce
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 15 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ public class ParAttributes implements Serializable {
@JsonProperty
Integer maxAge;
@JsonProperty
Integer nbf;
@JsonProperty
private String scope;
@JsonProperty
private String responseType;
Expand Down Expand Up @@ -142,6 +144,14 @@ public void setMaxAge(Integer maxAge) {
this.maxAge = maxAge;
}

public Integer getNbf() {
return nbf;
}

public void setNbf(Integer nbf) {
this.nbf = nbf;
}

public String getUiLocales() {
return uiLocales;
}
Expand Down Expand Up @@ -268,6 +278,7 @@ public String toString() {
", display='" + display + '\'' +
", prompt='" + prompt + '\'' +
", maxAge=" + maxAge +
", nbf=" + nbf +
", uiLocales='" + uiLocales + '\'' +
", idTokenHint='" + idTokenHint + '\'' +
", loginHint='" + loginHint + '\'' +
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,8 @@
*/
public class JwtAuthorizationRequest {

private final static Logger log = LoggerFactory.getLogger(JwtAuthorizationRequest.class);
private final static int SIXTY_MINUTES_AS_SECONDS = 3600;
private static final Logger log = LoggerFactory.getLogger(JwtAuthorizationRequest.class);
private static final int SIXTY_MINUTES_AS_SECONDS = 3600;

// Header
private String type;
Expand Down Expand Up @@ -544,17 +544,11 @@ private void validateFapi() throws InvalidJwtException {
throw new InvalidJwtException("None algorithm is not allowed for FAPI");
}

if (nbf == null || nbf <= 0) { // https://github.com/JanssenProject/jans-auth-server/issues/164 fapi1-advanced-final-ensure-request-object-without-nbf-fails
log.error("nbf claim is not set, nbf: {}", nbf);
throw new InvalidJwtException("nbf claim is not set");
}
final long nowSeconds = System.currentTimeMillis() / 1000;
final long nbfDiff = nowSeconds - nbf;
if (nbfDiff > SIXTY_MINUTES_AS_SECONDS) { // https://github.com/JanssenProject/jans-auth-server/issues/166
log.error("nbf claim is more then 60 Minutes in the past, nbf: {}, nowSeconds: {}", nbf, nowSeconds);
throw new InvalidJwtException("nbf claim is more then 60 in the past");
}
validateNbf(nbf);
validateExp(exp);
}

public static void validateExp(Integer exp) throws InvalidJwtException {
if (exp == null) {
log.error("The exp claim is not set");
throw new InvalidJwtException("exp claim is not set");
Expand All @@ -566,6 +560,18 @@ private void validateFapi() throws InvalidJwtException {
log.error("exp claim is more then 60 minutes in the future, exp: {}, nowSecondsExp: {}", exp, nowSecondsExp);
throw new InvalidJwtException("exp claim is more then 60 in the future");
}
}

public static void validateNbf(Integer nbf) throws InvalidJwtException {
if (nbf == null || nbf <= 0) { // https://github.com/JanssenProject/jans-auth-server/issues/164 fapi1-advanced-final-ensure-request-object-without-nbf-fails
log.error("nbf claim is not set, nbf: {}", nbf);
throw new InvalidJwtException("nbf claim is not set");
}
final long nowSeconds = System.currentTimeMillis() / 1000;
final long nbfDiff = nowSeconds - nbf;
if (nbfDiff > SIXTY_MINUTES_AS_SECONDS) { // https://github.com/JanssenProject/jans-auth-server/issues/166
log.error("nbf claim is more then 60 Minutes in the past, nbf: {}, nowSeconds: {}", nbf, nowSeconds);
throw new InvalidJwtException("nbf claim is more then 60 in the past");
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,10 @@
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.config.StaticConfiguration;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.util.Util;
import io.jans.as.persistence.model.Par;
import io.jans.as.server.model.authorize.JwtAuthorizationRequest;
import io.jans.orm.PersistenceEntryManager;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
Expand Down Expand Up @@ -103,15 +105,30 @@ public Par getParAndValidateForAuthorizationRequest(String id, String state, Str
.build());
}

validate(par, state);
return par;
}

private void validate(Par par, String state) {
Date now = new Date();
if (par.isExpired(now)) {
log.debug("PAR is expired, id: {}, exp: {}, now: {}", id, par.getExpirationDate(), now);
log.debug("PAR is expired, id: {}, exp: {}, now: {}", par.getId(), par.getExpirationDate(), now);
throw new WebApplicationException(Response
.status(Response.Status.BAD_REQUEST)
.entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_URI, state, "PAR is expired"))
.type(MediaType.APPLICATION_JSON_TYPE)
.build());
}
return par;

try {
JwtAuthorizationRequest.validateExp((int) (par.getExpirationDate().getTime() / 1000));
JwtAuthorizationRequest.validateNbf(par.getAttributes().getNbf());
} catch (InvalidJwtException e) {
throw new WebApplicationException(Response
.status(Response.Status.BAD_REQUEST)
.entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, state, "Failed to validate exp or nbf"))
.type(MediaType.APPLICATION_JSON_TYPE)
.build());
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,9 @@ public void validateRequestObject(RedirectUriResponse redirectUriResponse, Par p
if (StringUtils.isNotBlank(jwtRequest.getClientId())) {
par.getAttributes().setClientId(jwtRequest.getClientId());
}

if (jwtRequest.getNbf() != null) {
par.getAttributes().setNbf(jwtRequest.getNbf());
}
if (!jwtRequest.getScopes().isEmpty()) { // JWT wins
Set<String> scopes = scopeChecker.checkScopesPolicy(client, Lists.newArrayList(jwtRequest.getScopes()));
par.getAttributes().setScope(implode(scopes, " "));
Expand Down

0 comments on commit 5f109ce

Please sign in to comment.