[Openid-specs-ab] Issue #2154: the iat claim and clock skew issues (openid/connect)
Brian Campbell
bcampbell at pingidentity.com
Tue May 21 20:48:25 UTC 2024
It is maybe worth nothing that there was a thread on the same or similar
subject on the OAuth WG list a few months ago:
https://mailarchive.ietf.org/arch/msg/oauth/Qkz2HqOzdVM0oyDPSeOdo-iLN8E/
On Tue, May 21, 2024 at 1:17 PM Andrii Deinega via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> New issue 2154: the iat claim and clock skew issues
>
> https://bitbucket.org/openid/connect/issues/2154/the-iat-claim-and-clock-skew-issues
>
> Andrii Deinega:
>
> The ID Token section of the [OpenID Connect Core 1.0 \(errata set 2\)
> spec](https://openid.net/specs/openid-connect-core-1_0.html) describes
> the exp claim in the following way
>
> > Expiration time on or after which the ID Token MUST NOT be accepted by
> the RP when performing authentication with the OP. The processing of this
> parameter requires that the current date/time MUST be before the expiration
> date/time listed in the value. Implementers MAY provide for some small
> leeway, usually no more than a few minutes, to account for clock skew.
>
> At the same time, the description for iat claim does not say anything
> specific about whether the ID Token should be accepted or rejected by an RP
> when it gets issued in the “near“ future from its point of view \(this
> might happen when an RP runs into time skew issues\).
>
> I suggest clarifying these things a bit, quick research uncovered that
> different OpenID Connect libraries cover that in different ways \(some of
> them take into account small leeway for time in both iat and exp claims,
> others only for time in the exp claim and so forth\).
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20240521/38aa5dce/attachment.html>
More information about the Openid-specs-ab
mailing list