Comments (6)
Thanks for opening an issue on this!
It's something we've seen issues with in the past, so I've created a ticket internally for us to evaluate whether we can remove the strict validation.
from identity-idp.
That’s awesome! As it stands, there’s no simple integration with node and express that doesn’t include the claim in a way that cannot be overridden without forking the entire openid-client code base. So it’d be nice to see this relaxed on the part of login.gov!
from identity-idp.
Just in case others find themselves here, I figured out a (suboptimal) workaround given that it looks like the way iat
gets validated by identity-idp is pretty basic — it just has to be a number and has to be the current time or earlier. That's it. So all you have to do is make sure that iat
is any time prior to the current time, and validation will succeed.
The only way to affect the iat
claim with openid-client's provided Passport strategy is a way available at the time you construct the strategy — so you can't set iat
dynamically at the time of an authentication attempt. At construction time, you can pass in extra parameters, one of which (clientAssertionPayload
) is an object that gets merged into the object that forms the client_assertion
parameter to the token call. So, for now, all I'm doing is setting clientAssertionPayload.iat
to the current time at the moment I construct the strategy; then, at the time of an authorization attempt, it gets merged in to override the potentially-problematic iat
. It seems to work perfectly... for now.
So, this is how I construct and use the new strategy (after having created my Issuer.Client loginGovClient
and setting up my strategy params strat_params
):
const loginGovStrategy = new Strategy({
client: loginGovClient,
params: strat_params,
extras: { clientAssertionPayload: { iat: Math.floor(Date.now() / 1000) }
}}, function(tokenset, userinfo, done) {
console.log('in passport oidc strategy');
// whatever you're going to do here
return done(null, userinfo);
});
passport.use('oidc', loginGovStrategy);
Hope this is helpful to others, until perhaps the iat
strict validation can be relaxed at bit on the login.gov server side!
from identity-idp.
@delfuego as an aside, if a given profile allows you to omit iat
altogether - just pass the value as undefined during strategy initialization and the claim will be omitted from all future asssertions.
from identity-idp.
I'm using the node openid-client library to authenticate to login.gov, and on initial implementation, I struggled with failures — the entire flow through to the token endpoint would complete, but then the token endpoint was returning an error reporting an invalid client assertion
iat
value. (I recognize that the login.gov spec doesn't sayiat
is mandatory, but it's a valid claim in the OIDC spec and the openid-client library includes it in all callbacks to the token endpoint.)Debugging it in the openid-client library, if I eliminated the
iat
claim, everything then succeeded; if I kept it in, and subtracted a single second from it, it also succeeded. So, it looks like there might be some incredibly strict time intolerance on the login.gov platform somewhere that would be worth loosening.(Note that in the OIDC core spec section 3.1.3.7, point #10 says it is entirely client-determined what range of values for
iat
to accept; it feels like login.gov might be enforcing a restriction that doesn't even allow a single second's difference between a client's system clock and the login.gov server clock.)Steps to reproduce the issue (please be as specific as possible)
- Initiate an OIDC authentication to login.gov, and then at the token request step, include an
iat
claim in theclient_assertion
that is set to the exact current unix timestamp.Expected behavior
- The token request would succeed.
Actual behavior
- The token request fails with an HTTP 400 and an error "Client assertion invalid iat".
in the OIDC core spec section 3.1.3.7 point 10 is irrelevant for this discussion as it talks about ID Token validation, not client assertion JWTs.
What's relevant is
- https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12#section-3
- https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
- https://tools.ietf.org/html/rfc7519#section-4.1.6
iat
OPTIONAL. Time at which the JWT was issued.
- The JWT MAY contain an "iat" (issued at) claim that identifies
the time at which the JWT was issued. Note that the
authorization server may reject JWTs with an "iat" claim value
that is unreasonably far in the past.
There are OIDC profiles that require iat
to be present (FAPI) which is why i rather include it all the time.
from identity-idp.
@panva I tried to set iat
to undefined at strategy initialization, and as far as I can tell, it doesn't work — the iat
that's set in helpers/client#authFor
still carries all the way through to the client assertion JWT. (But if there's further debugging, we should probably take this back to your project's issues rather than continue the thread here in identity-idp.)
from identity-idp.
Related Issues (20)
- 2FA Code field does not auto populate in Safari browser HOT 1
- Error connecting to Redis on localhost:6379 (Errno::ECONNREFUSED= HOT 1
- Display "Login.gov" as "From" name in email headers when rendering user emails HOT 5
- FIDO/WebAuthn regression on Safari HOT 3
- API to be able to use it as a Login option for websites HOT 1
- Platofrm authenticators (TouchID/FaceID and Windows Hello) not suported HOT 2
- Deprecating `clipboard-polyfill` HOT 3
- OIDC tests use incorrect PKCE code_challenge computation
- Requesting query string for 'signup page' HOT 2
- By "same question", I meant whether we should be checking for SMS in this condition.
- Authentication Context Reference (ACR) implementation does not follow standard practices HOT 1
- Personal key sign-in message does not correctly substitute app name HOT 3
- Typo: Lettter
- FIDO2 enrollment fails in Firefox because AuthenticatorAttestationResponse.getTransports() is not supported HOT 3
- Missing option to add Face / Touch ID (WebAuthn passkey) logins HOT 3
- Incorrect CSP prevents redirect from OIDC logout confirmation page HOT 2
- For some apps, logout fails if user has logged in with another browser HOT 15
- Adding a passkey fails when using 1password's browser extension on Linux HOT 10
- Unable to log into my Trusted Traveler Program Account HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identity-idp.