fix(openid/client): ensure assertion time claims are rounded down instead of up

Hopefully fixes intermittent 'invalid_grant' errors from IdP.
2026-05-06 16:36:51 +00:00 · 2022-07-18 09:24:20 +02:00
parent 4a3f1d3d7e
commit 284fa2a76f
5 changed files with 13 additions and 9 deletions
--- a/pkg/jwt/jwt.go
+++ b/pkg/jwt/jwt.go
@@ -10,7 +10,7 @@ import (
 )

 const (
-	AcceptableClockSkew = 10 * time.Second
+	AcceptableClockSkew = 5 * time.Second

 	JtiClaim = "jti"
 	SidClaim = "sid"
--- a/pkg/mock/openid.go
+++ b/pkg/mock/openid.go
@@ -367,14 +367,16 @@ func (ip *IdentityProviderHandler) Token(w http.ResponseWriter, r *http.Request)
 	}

 	expires := int64(1200)
+	iat := time.Now().Truncate(time.Second)
+	exp := iat.Add(time.Duration(expires) * time.Second)
 	sub := uuid.New().String()

 	accessToken := jwt.New()
 	accessToken.Set("sub", sub)
 	accessToken.Set("iss", ip.Provider.GetOpenIDConfiguration().Issuer)
 	accessToken.Set("acr", auth.AcrLevel)
-	accessToken.Set("iat", time.Now().Unix())
-	accessToken.Set("exp", time.Now().Unix()+expires)
+	accessToken.Set("iat", iat.Unix())
+	accessToken.Set("exp", exp.Unix())
 	accessToken.Set("jti", uuid.NewString())
 	signedAccessToken, err := ip.signToken(accessToken)
 	if err != nil {
@@ -390,8 +392,8 @@ func (ip *IdentityProviderHandler) Token(w http.ResponseWriter, r *http.Request)
 	idToken.Set("locale", auth.Locale)
 	idToken.Set("nonce", auth.Nonce)
 	idToken.Set("acr", auth.AcrLevel)
-	idToken.Set("iat", time.Now().Unix())
-	idToken.Set("exp", time.Now().Unix()+expires)
+	idToken.Set("iat", iat.Unix())
+	idToken.Set("exp", exp.Unix())
 	idToken.Set("jti", uuid.NewString())

 	// If the sid claim should be in token and in active session
--- a/pkg/openid/client/client.go
+++ b/pkg/openid/client/client.go
@@ -105,7 +105,7 @@ func (c client) MakeAssertion(expiration time.Duration) (string, error) {
 	providerCfg := c.config().Provider()
 	key := clientCfg.GetClientJWK()

-	iat := time.Now()
+	iat := time.Now().Truncate(time.Second)
 	exp := iat.Add(expiration)

 	errs := make([]error, 0)
--- a/pkg/openid/tokens.go
+++ b/pkg/openid/tokens.go
@@ -51,7 +51,7 @@ func (in *IDToken) Validate(cfg openidconfig.Config, nonce string) error {
 		jwtlib.WithAudience(clientConfig.GetClientID()),
 		jwtlib.WithClaimValue("nonce", nonce),
 		jwtlib.WithIssuer(openIDconfig.Issuer),
-		jwtlib.WithAcceptableSkew(5 * time.Second),
+		jwtlib.WithAcceptableSkew(jwt.AcceptableClockSkew),
 	}

 	if openIDconfig.SidClaimRequired() {
--- a/pkg/session/session_id_test.go
+++ b/pkg/session/session_id_test.go
@@ -137,12 +137,14 @@ func params(key, value string) url.Values {
 }

 func newIDToken(extraClaims map[string]string) *openid.IDToken {
+	now := time.Now().Truncate(time.Second)
+
 	idToken := jwtlib.New()
 	idToken.Set("sub", "test")
 	idToken.Set("iss", "test")
 	idToken.Set("aud", "test")
-	idToken.Set("iat", time.Now().Unix())
-	idToken.Set("exp", time.Now().Add(time.Hour).Unix())
+	idToken.Set("iat", now.Unix())
+	idToken.Set("exp", now.Add(time.Hour).Unix())

 	for claim, value := range extraClaims {
 		if len(claim) > 0 {