test(openid): add missing token validation cases

nais · Nov 6, 2024 · b4b38f3 · b4b38f3
1 parent 26b026f
commit b4b38f3
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/pkg/openid/tokens.go b/pkg/openid/tokens.go
@@ -21,6 +21,8 @@ const (
 	LocaleClaim   = "locale"
 	SidClaim      = "sid"
 	OidClaim      = "oid"
+
+	AcceptableSkew = 5 * time.Second
 )
 
 type Tokens struct {
@@ -109,7 +111,7 @@ func (in *IDToken) Validate(cfg openidconfig.Config, cookie *LoginCookie, jwks *
 		//  If a nonce value was sent in the Authentication Request, a `nonce` Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request.
 		jwt.WithClaimValue("nonce", cookie.Nonce),
 		// Skew tolerance for time-based claims (exp, iat, nbf)
-		jwt.WithAcceptableSkew(5 * time.Second),
+		jwt.WithAcceptableSkew(AcceptableSkew),
 	}
 
 	if openIDconfig.SidClaimRequired() {

diff --git a/pkg/openid/tokens_test.go b/pkg/openid/tokens_test.go
@@ -214,6 +214,33 @@ func TestIDToken_Validate(t *testing.T) {
 			},
 			expectErr: `"iss" not satisfied: required claim not found`,
 		},
+		{
+			name: "iat is in the future",
+			claims: &claims{
+				set: map[string]any{
+					"iat": time.Now().Add(openid.AcceptableSkew + 5*time.Second).Unix(),
+				},
+			},
+			expectErr: `"iat" not satisfied`,
+		},
+		{
+			name: "exp is in the past",
+			claims: &claims{
+				set: map[string]any{
+					"exp": time.Now().Add(-openid.AcceptableSkew - 5*time.Second).Unix(),
+				},
+			},
+			expectErr: `"exp" not satisfied`,
+		},
+		{
+			name: "nbf is in the future",
+			claims: &claims{
+				set: map[string]any{
+					"nbf": time.Now().Add(openid.AcceptableSkew + 5*time.Second).Unix(),
+				},
+			},
+			expectErr: `"nbf" not satisfied`,
+		},
 		{
 			name: "issuer mismatch",
 			claims: &claims{