-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issued At RFC type mismatch causing false postives on verify_at #353
Comments
@elyhaka I give you a green light for a PR. :) |
I think there is a potential issue here because
timestamps are deliberately shortened from realistic values for readability Is there a case for allowing up to 1s delta, without treating it as a leeway for the purposes of the RFC as disussed in #273? I think that is reasonable given the values we are dealing are rounded and can be up to 1s off. |
I have the same concerns as @jakeprime. A delta would help, but is that allowed? |
Been playing around with this today and I think the problem is not that the values are handled as a floats. Do you @elyhaka have some example values that causes this problem. Think that if we start converting Something that could help is to allow giving a validation specific leeway.
|
In the example above where the token is created at A slightly different example where this may be a problem is with clock drift between the issuer and and checker. If the issuer is running (marginally) faster than checker, it is possible that the issuer issues the token at |
The current check we are discussing is actually something like Switching |
Would like to experiment with the following to improve the iat validation:
Think how validation of iat should be done is not something that is defined by any standard or specification. So it's up to the validator to choose. |
Wrote a few tests to verify that the current behaviour is as good as it gets without any leeway in the verification #423 Also it seems that taking the leeway into consideration for this verification was removed in #257, reasoning was that there is no mentioning of leeway in the spec. I think we have two options:
Personally i think supporting verifications with some custom interpretations is the way to go, would not break any of the current assumptions. |
Actually the only verification we can do according to the RFC is that the value is a NumericDate if it's given. |
FYI I've submitted an errata request to RFC 7519 to update the spec to explicitly prohibit rejecting tokens with Feel free to follow along here: Discussion: JWT tokens containing |
Hello there,
We had some troubles with
ruby-jwt
in production recently. The reason was that we put the unix timestamp as seconds since epoch iniat
, but insideverify_iat
ruby-jwt casts it using.to_f
.When comparing
iat
againstTime.now.to_f
you compare an int (rounded to.0
) to a full decimal version, makingiat.to_f > Time.now.to_f
trigger a false positive.The specification in https://tools.ietf.org/html/rfc7519#section-4.1.6 states that the
iat
should be aNumericDate
as defined in RFC7519:The fix for this should be trivial (replacing
to_f
withto_i
) but before submitting a pull request I'd like to check with you if that fix makes sense.The text was updated successfully, but these errors were encountered: