From b68b9ab5af6a85a2f42adf6b782cef7e08378658 Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Fri, 30 Apr 2021 13:58:13 +0200 Subject: [PATCH] fix(fapi): validate ID Token's iat regardless of which channel it came from --- lib/client.js | 24 ++++++++++++------------ test/client/client_instance.test.js | 2 ++ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/lib/client.js b/lib/client.js index 39d2e81f..07573245 100644 --- a/lib/client.js +++ b/lib/client.js @@ -724,6 +724,8 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base }); } + const fapi = this.constructor.name === 'FAPIClient'; + if (returnedBy === 'authorization') { if (!payload.at_hash && tokenSet.access_token) { throw new RPError({ @@ -739,19 +741,7 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base }); } - const fapi = this.constructor.name === 'FAPIClient'; - if (fapi) { - if (payload.iat < timestamp - 3600) { - throw new RPError({ - printf: ['JWT issued too far in the past, now %i, iat %i', timestamp, payload.iat], - now: timestamp, - tolerance: this[CLOCK_TOLERANCE], - iat: payload.iat, - jwt: idToken, - }); - } - if (!payload.s_hash && (tokenSet.state || state)) { throw new RPError({ message: 'missing required property s_hash', @@ -773,6 +763,16 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base } } + if (fapi && payload.iat < timestamp - 3600) { + throw new RPError({ + printf: ['JWT issued too far in the past, now %i, iat %i', timestamp, payload.iat], + now: timestamp, + tolerance: this[CLOCK_TOLERANCE], + iat: payload.iat, + jwt: idToken, + }); + } + if (tokenSet.access_token && payload.at_hash !== undefined) { try { tokenHash.validate({ claim: 'at_hash', source: 'access_token' }, payload.at_hash, tokenSet.access_token, header.alg, key && key.crv); diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js index 3ca3a740..df4a886e 100644 --- a/test/client/client_instance.test.js +++ b/test/client/client_instance.test.js @@ -2644,9 +2644,11 @@ describe('Client', () => { it('FAPIClient checks iat is fresh', function () { const code = 'jHkWEdUXMU1BwAsC4vtUsZwnNvTIxEl0z9K3vx5KF0Y'; // eslint-disable-line camelcase, max-len const c_hash = '77QmUPtjPfzWtF2AnpK9RQ'; // eslint-disable-line camelcase + const s_hash = 'LCa0a2j_xo_5m0U8HTBBNA'; // eslint-disable-line camelcase return this.IdToken(this.keystore.get(), 'RS256', { c_hash, + s_hash, iss: this.issuer.issuer, sub: 'userId', aud: this.fapiClient.client_id,