Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove iat claim value check #229

Merged
merged 1 commit into from
Jun 30, 2020
Merged

Remove iat claim value check #229

merged 1 commit into from
Jun 30, 2020

Conversation

lbalmaceda
Copy link
Contributor

Changes

According to the spec, checking this value should be optional. Presence check however is not. That remains.

References

https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.

Testing

  • This change adds unit test coverage
  • This change adds integration test coverage
  • This change has been tested on the latest version of Ruby

Checklist

@lbalmaceda lbalmaceda requested a review from a team June 29, 2020 21:20
@lbalmaceda lbalmaceda added this to the v4.14.0 milestone Jun 29, 2020
@lbalmaceda lbalmaceda merged commit a878257 into master Jun 30, 2020
@lbalmaceda lbalmaceda deleted the rm-iat branch June 30, 2020 13:07
@davidpatrick davidpatrick mentioned this pull request Jul 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants