Commit b9494d1b authored by Clément OUDOT's avatar Clément OUDOT

Check iat (#183)

parent 0fa5cf26
......@@ -93,6 +93,13 @@ has 'oidcOPMetaDataOptionsIcon' => (
documentation => "OIDC OP logo file",
);
has 'oidcOPMetaDataOptionsIDTokenMaxAge' => (
is => 'rw',
isa => 'Int',
default => 30,
documentation => "OIDC OP ID Token max age",
);
has 'oidcOPMetaDataOptionsJWKSTimeout' => (
is => 'rw',
isa => 'Int',
......
......@@ -287,7 +287,7 @@ sub cstruct {
},
oidcOPMetaDataOptionsProtocol => {
_nodes => [
qw(oidcOPMetaDataOptionsScope oidcOPMetaDataOptionsDisplay oidcOPMetaDataOptionsPrompt oidcOPMetaDataOptionsMaxAge oidcOPMetaDataOptionsUiLocales oidcOPMetaDataOptionsAcrValues oidcOPMetaDataOptionsTokenEndpointAuthMethod oidcOPMetaDataOptionsCheckJWTSignature)
qw(oidcOPMetaDataOptionsScope oidcOPMetaDataOptionsDisplay oidcOPMetaDataOptionsPrompt oidcOPMetaDataOptionsMaxAge oidcOPMetaDataOptionsUiLocales oidcOPMetaDataOptionsAcrValues oidcOPMetaDataOptionsTokenEndpointAuthMethod oidcOPMetaDataOptionsCheckJWTSignature oidcOPMetaDataOptionsIDTokenMaxAge)
],
oidcOPMetaDataOptionsScope =>
"text:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsScope",
......@@ -296,7 +296,7 @@ sub cstruct {
oidcOPMetaDataOptionsPrompt =>
"text:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsPrompt",
oidcOPMetaDataOptionsMaxAge =>
"text:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsMaxAge",
"int:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsMaxAge",
oidcOPMetaDataOptionsUiLocales =>
"text:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsUiLocales",
oidcOPMetaDataOptionsAcrValues =>
......@@ -305,6 +305,8 @@ sub cstruct {
"text:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsTokenEndpointAuthMethod",
oidcOPMetaDataOptionsCheckJWTSignature =>
"bool:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsCheckJWTSignature",
oidcOPMetaDataOptionsIDTokenMaxAge =>
"int:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsIDTokenMaxAge",
},
oidcOPMetaDataOptionsDisplay => {
_nodes => [
......
......@@ -280,6 +280,7 @@ sub en {
oidcOPMetaDataOptionsDisplay => 'Display',
oidcOPMetaDataOptionsDisplayName => 'Display name',
oidcOPMetaDataOptionsIcon => 'Logo',
oidcOPMetaDataOptionsIDTokenMaxAge => 'ID Token max age',
oidcOPMetaDataOptionsJWKSTimeout => 'JWKS data timeout',
oidcOPMetaDataOptionsMaxAge => 'Max age',
oidcOPMetaDataOptionsPrompt => 'Prompt',
......@@ -848,6 +849,7 @@ sub fr {
oidcOPMetaDataOptionsDisplay => 'Affichage',
oidcOPMetaDataOptionsDisplayName => 'Nom d\'affichage',
oidcOPMetaDataOptionsIcon => 'Logo',
oidcOPMetaDataOptionsIDTokenMaxAge => 'Âge maximum du jeton ID',
oidcOPMetaDataOptionsJWKSTimeout => 'Durée de vie des données JWKS',
oidcOPMetaDataOptionsMaxAge => 'Âge maximum',
oidcOPMetaDataOptionsPrompt => 'Interaction',
......
......@@ -467,6 +467,9 @@ sub checkIDTokenValidity {
$self->{oidcOPMetaDataOptions}->{$op}->{oidcOPMetaDataOptionsAcrValues};
my $max_age =
$self->{oidcOPMetaDataOptions}->{$op}->{oidcOPMetaDataOptionsMaxAge};
my $id_token_max_age =
$self->{oidcOPMetaDataOptions}->{$op}
->{oidcOPMetaDataOptionsIDTokenMaxAge};
# Check issuer
unless ( $id_token->{iss} eq $self->{_oidcOPList}->{$op}->{conf}->{issuer} )
......@@ -505,7 +508,15 @@ sub checkIDTokenValidity {
return 0;
}
# TODO check iat
# Check iat
my $iat = $id_token->{iat};
if ($id_token_max_age) {
unless ( $iat + $id_token_max_age > time ) {
$self->lmLog( "ID token too old (Max age: $id_token_max_age)",
'error' );
return 0;
}
}
# Check nonce
my $nonce = $id_token->{nonce};
......@@ -543,7 +554,7 @@ sub checkIDTokenValidity {
# Check auth_time
my $auth_time = $id_token->{auth_time};
if ( defined $max_age ) {
if ($max_age) {
unless ($auth_time) {
$self->lmLog( "Auth time was not returned by OP $op", 'error' );
return 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment