[Openid-specs-ab] Issue #2154: the iat claim and clock skew issues (openid/connect)
Andrii Deinega
issues-reply at bitbucket.org
Tue May 21 19:17:00 UTC 2024
New issue 2154: the iat claim and clock skew issues
https://bitbucket.org/openid/connect/issues/2154/the-iat-claim-and-clock-skew-issues
Andrii Deinega:
The ID Token section of the [OpenID Connect Core 1.0 \(errata set 2\) spec](https://openid.net/specs/openid-connect-core-1_0.html) describes the exp claim in the following way
> Expiration time on or after which the ID Token MUST NOT be accepted by the RP when performing authentication with the OP. The processing of this parameter requires that the current date/time MUST be before the expiration date/time listed in the value. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.
At the same time, the description for iat claim does not say anything specific about whether the ID Token should be accepted or rejected by an RP when it gets issued in the “near“ future from its point of view \(this might happen when an RP runs into time skew issues\).
I suggest clarifying these things a bit, quick research uncovered that different OpenID Connect libraries cover that in different ways \(some of them take into account small leeway for time in both iat and exp claims, others only for time in the exp claim and so forth\).
More information about the Openid-specs-ab
mailing list