Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate ID Tokens on the iat Claim value. #7

Open
chamathns opened this issue Oct 16, 2020 · 0 comments
Open

Validate ID Tokens on the iat Claim value. #7

chamathns opened this issue Oct 16, 2020 · 0 comments

Comments

@chamathns
Copy link
Contributor

Description:
According to rule 10 for the ID token validation in the OIDC spec [1], it says:

The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.

Currently, the oidc-sdk rejects ID Token only if the exp time > current time + skew. Taking the iat Claim value and rejecting ID Tokens based on the age of the ID Token can prevent potential attacks.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chamathns