Add RP specific clockSkew property for IssuedAtClaimsValidator
Basics
Logistics
Basics
Logistics
Description
Azure AD sets the Issued At (iat) claim 5 minutes before the time at which the JWT was actually issued (to deal with clock synch issues). For the RP to accept the ‘iat’ claim, the IssuedAtClaimsValidator needs to be configured with a suitable clockSkew e.g. 6 minutes.
This is currently configured from the IdP wide idp.policy.clockSkew property. A deployer may not want to set this more general clockSkew property for the whole IdP, and may want a way to override that with an RP-specific property (defaulting to the idp version if not set, further defaulting to a bean default if neither are set).
Environment
None
Activity
Philip Smart June 5, 2023 at 2:51 PM
I’ve added a property idp.authn.oidc.rp.client.jwt.verifier.clockSkew which, if set, takes precedence over idp.policy.clockSkew. If neither are set the default of 1 minute applies.
This applies to the expiry and not before claims validators as well.
Azure AD sets the Issued At (iat) claim 5 minutes before the time at which the JWT was actually issued (to deal with clock synch issues). For the RP to accept the ‘iat’ claim, the IssuedAtClaimsValidator needs to be configured with a suitable clockSkew e.g. 6 minutes.
This is currently configured from the IdP wide
idp.policy.clockSkewproperty. A deployer may not want to set this more general clockSkew property for the whole IdP, and may want a way to override that with an RP-specific property (defaulting to the idp version if not set, further defaulting to a bean default if neither are set).