context is nullable

navikt · Dec 6, 2023 · 6728507 · 6728507
1 parent 3d4c361
commit 6728507
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 41 deletions.
diff --git a/...n/java/no/nav/security/token/support/core/validation/DefaultConfigurableJwtValidator.java b/...n/java/no/nav/security/token/support/core/validation/DefaultConfigurableJwtValidator.java
@@ -80,7 +80,7 @@ public DefaultConfigurableJwtValidator(String issuer, List<String> acceptedAudie
             JWSAlgorithm.RS256,
             jwkSource
         );
-        var claimsVerifier = new DefaultJwtClaimsVerifier<>(
+        var claimsVerifier = new DefaultJwtClaimsVerifier<SecurityContext>(
             acceptedAudiences(acceptedAudiences, optionalClaims),
             exactMatchClaims,
             requiredClaims,
@@ -130,4 +130,4 @@ private static <T> Set<T> difference(List<T> first, List<T> second) {
     protected JWKSource<SecurityContext> getJwkSource() {
         return this.jwkSource;
     }
-}
+}
diff --git a/...src/main/java/no/nav/security/token/support/core/validation/DefaultJwtClaimsVerifier.java b/...src/main/java/no/nav/security/token/support/core/validation/DefaultJwtClaimsVerifier.java
diff --git a/...src/main/kotlin/no/nav/security/token/support/core/validation/DefaultJwtClaimsVerifier.kt b/...src/main/kotlin/no/nav/security/token/support/core/validation/DefaultJwtClaimsVerifier.kt
@@ -0,0 +1,26 @@
+package no.nav.security.token.support.core.validation
+
+import com.nimbusds.jose.proc.SecurityContext
+import com.nimbusds.jwt.JWTClaimsSet
+import com.nimbusds.jwt.proc.BadJWTException
+import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier
+import com.nimbusds.jwt.util.DateUtils
+import com.nimbusds.openid.connect.sdk.validators.BadJWTExceptions.IAT_CLAIM_AHEAD_EXCEPTION
+import java.util.Date
+
+/**
+ * Extends [com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier] with a time check for the issued at ("iat") claim.
+ * The claim is only checked if it exists in the given claim set.
+ */
+class DefaultJwtClaimsVerifier<C : SecurityContext>(acceptedAudience : Set<String?>?, exactMatchClaims : JWTClaimsSet, requiredClaims : Set<String>, prohibitedClaims : Set<String>) : DefaultJWTClaimsVerifier<C>(acceptedAudience, exactMatchClaims, requiredClaims, prohibitedClaims) {
+
+    @Throws(BadJWTException::class)
+    override fun verify(claimsSet: JWTClaimsSet, context: C?) {
+        super.verify(claimsSet, context)
+        claimsSet.issueTime?.let { iat ->
+            if (!DateUtils.isBefore(iat, Date(), maxClockSkew.toLong())) {
+                throw IAT_CLAIM_AHEAD_EXCEPTION
+            }
+        }
+    }
+}
diff --git a/...va/no/nav/security/token/support/core/validation/DefaultConfigurableJwtValidatorTest.java b/...va/no/nav/security/token/support/core/validation/DefaultConfigurableJwtValidatorTest.java
@@ -217,4 +217,4 @@ private JwtTokenValidator tokenValidator(List<String> acceptedAudiences, List<St
     private long maxClockSkewMillis() {
         return TimeUnit.SECONDS.toMillis(DefaultJwtClaimsVerifier.DEFAULT_MAX_CLOCK_SKEW_SECONDS + 5);
     }
-}
+}
-Original file line number
+Diff line change
@@ Expand Up @@
         private long maxClockSkewMillis() {
             return TimeUnit.SECONDS.toMillis(DefaultJwtClaimsVerifier.DEFAULT_MAX_CLOCK_SKEW_SECONDS + 5);
         }
-    }
+    }