Merge pull request lxc#707 from stgraber/main

Fixes to JWT handling
stgraber · Mar 30, 2024 · a5ed6c0 · a5ed6c0
2 parents 0d3c5a6 + cb3ad27
commit a5ed6c0
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/internal/server/util/http.go b/internal/server/util/http.go
@@ -319,6 +319,16 @@ func CheckJwtToken(r *http.Request, trustedCerts map[string]x509.Certificate) (b
 		return false, "", nil
 	}
 
+	// Make sure this isn't an OIDC JWT.
+	issuer, err := token.Claims.GetIssuer()
+	if err != nil {
+		return false, "", nil
+	}
+
+	if issuer != "" {
+		return false, "", nil
+	}
+
 	// Check if the token is valid.
 	notBefore, err := token.Claims.GetNotBefore()
 	if err != nil {
@@ -330,7 +340,7 @@ func CheckJwtToken(r *http.Request, trustedCerts map[string]x509.Certificate) (b
 		return false, "", nil
 	}
 
-	if time.Now().Before(notBefore.Time) || time.Now().After(expiresAt.Time) {
+	if (notBefore != nil && time.Now().Before(notBefore.Time)) || (expiresAt != nil && time.Now().After(expiresAt.Time)) {
 		return false, "", nil
 	}