Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nbf validation cannot be disabled #502

Open
Voileexperiments opened this issue Jun 25, 2024 · 5 comments
Open

nbf validation cannot be disabled #502

Voileexperiments opened this issue Jun 25, 2024 · 5 comments
Assignees
@abatishchev
Labels
enchantment

Comments

@Voileexperiments
Copy link

For some reasons ValidationParameters has ValidateIssuedTime and ValidateExpirationTime, but not ValidateNotBeforeTime. Additionally, there is no way to manually disable this anywhere.
@Voileexperiments
Copy link
Author

After looking at the source code, the handling of ValidateIssuedTime is incorrect, since it actually validates nbf instead of iss:

jwt/src/JWT/JwtValidator.cs

Lines 165 to 168 in d6b1e4e

if (_valParams.ValidateIssuedTime)
{
exception ??= ValidateNbfClaim(payloadData, secondsSinceEpoch);
}

iss and nbf are completely different, and they can be set with different values (e.g if you're issuing a token that should only be usable at a later date).

@abatishchev abatishchev self-assigned this Jun 25, 2024
@abatishchev
Copy link
Member

Check this out: https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1

iss and nbf are completely different, indeed. The former stands for "issuer".

Are you confusing iss and iat?

I agree that the validation parameter's name is confusing (incorrect), issued -> something else. But what would be a better, yet readable, name?

Can you describe your scenario in which you need to validate the iat claim? And how you'd like to validate it?

In AAD for example, both claims usually have the same value.

@Voileexperiments
Copy link
Author

Sorry, I meant iat when I said iss above.

I agree that the validation parameter's name is confusing (incorrect), issued -> something else. But what would be a better, yet readable, name?

Can you describe your scenario in which you need to validate the iat claim?

I don't really need to validate iat, but naming ValidateIssuedTime for nbf instead of something like ValidateNotBefore is semantically incorrect from the JWT spec, since iat and nbf have well-defined meanings by RFC 7159:

The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.

The "iat" (issued at) claim identifies the time at which the JWT was issued.

A parameter named ValidateIssuedTime should unambiguously be handling the "issued time" field, otherwise it is not doing what it tells it's supposed to do. Yes, iat usually doesn't need to be validated, but then using ValidateIssuedTime to validate nbf is not correct either.

@abatishchev
Copy link
Member

To be honest, I don't remember why or how I (or maybe it was an OSS contribution by someone else) came up with this name. Both properties mean "whether the token is valid", one being "already valid" and the other "still valid". I guess because the latter is Expiration, the opposite to it was minted as Issuance. Which you're right, is a different claim.

Long story short. Do you mind submitting a change to add a new property and mark the old one as [Obsolete]?

@abatishchev
Copy link
Member

Ping on a contribution to the project. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abatishchev abatishchev

Labels
enchantment
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abatishchev @Voileexperiments