From 112f9ae0875f608e234f88ce2f307362ce2d7240 Mon Sep 17 00:00:00 2001 From: Pavel M Date: Thu, 4 Nov 2021 22:03:43 +0300 Subject: [PATCH] claim exp should be integer (#13582) claim exp can be - float64 - json.Number As per OIDC spec https://openid.net/specs/openid-connect-core-1_0.html#IDToken Avoid using strings since the upstream library only supports these two types now. --- internal/config/identity/openid/jwt.go | 3 +-- internal/config/identity/openid/jwt_test.go | 28 +++++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/internal/config/identity/openid/jwt.go b/internal/config/identity/openid/jwt.go index 55335fe12..9b35e9785 100644 --- a/internal/config/identity/openid/jwt.go +++ b/internal/config/identity/openid/jwt.go @@ -287,8 +287,7 @@ func updateClaimsExpiry(dsecs string, claims map[string]interface{}) error { defaultExpiryDuration = time.Unix(expAt, 0).UTC().Sub(time.Now().UTC()) } // else honor the specified expiry duration. - expiry := time.Now().UTC().Add(defaultExpiryDuration).Unix() - claims["exp"] = strconv.FormatInt(expiry, 10) // update with new expiry. + claims["exp"] = time.Now().UTC().Add(defaultExpiryDuration).Unix() // update with new expiry. return nil } diff --git a/internal/config/identity/openid/jwt_test.go b/internal/config/identity/openid/jwt_test.go index abc297aee..27d3e8f02 100644 --- a/internal/config/identity/openid/jwt_test.go +++ b/internal/config/identity/openid/jwt_test.go @@ -19,12 +19,15 @@ package openid import ( "crypto" + "encoding/base64" "encoding/json" "net/url" "sync" "testing" "time" + jwtg "github.com/golang-jwt/jwt" + jwtm "github.com/minio/minio/internal/jwt" xnet "github.com/minio/pkg/net" ) @@ -202,3 +205,28 @@ func TestDefaultExpiryDuration(t *testing.T) { } } } + +func TestExpCorrect(t *testing.T) { + signKey, _ := base64.StdEncoding.DecodeString("NTNv7j0TuYARvmNMmWXo6fKvM4o6nv/aUi9ryX38ZH+L1bkrnD1ObOQ8JAUmHCBq7Iy7otZcyAagBLHVKvvYaIpmMuxmARQ97jUVG16Jkpkp1wXOPsrF9zwew6TpczyHkHgX5EuLg2MeBuiT/qJACs1J0apruOOJCg/gOtkjB4c=") + + claimsMap := jwtm.NewMapClaims() + claimsMap.SetExpiry(time.Now().Add(time.Minute)) + claimsMap.SetAccessKey("test-access") + if err := updateClaimsExpiry("3600", claimsMap.MapClaims); err != nil { + t.Error(err) + } + // Build simple toke with updated expiration claim + token := jwtg.NewWithClaims(jwtg.SigningMethodHS256, claimsMap) + tokenString, err := token.SignedString(signKey) + if err != nil { + t.Error(err) + } + + // Parse token to be sure it is valid + err = jwtm.ParseWithClaims(tokenString, claimsMap, func(*jwtm.MapClaims) ([]byte, error) { + return signKey, nil + }) + if err != nil { + t.Error(err) + } +}