All work
- Add RP specific clockSkew property for IssuedAtClaimsValidatorJOIDCRP-36Resolved issue: JOIDCRP-36Philip Smart
- Add support for passive inbound requestsJOIDCRP-35Resolved issue: JOIDCRP-35Philip Smart
- Remove nonBrowser authentication flow supportJOIDCRP-34Resolved issue: JOIDCRP-34Philip Smart
- Typo in add default principals propertyJOIDCRP-33Resolved issue: JOIDCRP-33Philip Smart
- Support client_secret_jwt and private_key_jwt client authenticationJOIDCRP-29Resolved issue: JOIDCRP-29Philip Smart
5 of 5
Add RP specific clockSkew property for IssuedAtClaimsValidator
Completed
Basics
Logistics
Basics
Logistics
Description
Environment
None
Details
Details
Assignee
Philip Smart
Philip SmartReporter
Philip Smart
Philip SmartComponents
Fix versions
Affects versions
Created June 5, 2023 at 11:01 AM
Updated June 27, 2023 at 11:06 AM
Resolved June 27, 2023 at 11:06 AM
Activity
Philip Smart June 5, 2023 at 2:51 PM
Philip Smart
June 5, 2023 at 2:51 PM
I’ve added a property idp.authn.oidc.rp.client.jwt.verifier.clockSkew which, if set, takes precedence over idp.policy.clockSkew. If neither are set the default of 1 minute applies.
This applies to the expiry and not before claims validators as well.
Azure AD sets the Issued At (iat) claim 5 minutes before the time at which the JWT was actually issued (to deal with clock synch issues). For the RP to accept the ‘iat’ claim, the IssuedAtClaimsValidator needs to be configured with a suitable clockSkew e.g. 6 minutes.
This is currently configured from the IdP wide
idp.policy.clockSkewproperty. A deployer may not want to set this more general clockSkew property for the whole IdP, and may want a way to override that with an RP-specific property (defaulting to the idp version if not set, further defaulting to a bean default if neither are set).