From b526cd7e55ebf30fe7ac9cf68e12efb3ba546561 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Wed, 10 Jan 2018 10:34:00 -0800 Subject: [PATCH] Remove requirement for issued at JWT claims (#5364) Remove the requirement for IssuedAt claims from JWT for now, since we do not currently have a way to provide a leeway window for validating the claims. Expiry does the same checks as IssuedAt with an expiry window. We do not need it right now since we have clock skew check in our RPC layer to handle this correctly. rpc-common.go ``` func isRequestTimeAllowed(requestTime time.Time) bool { // Check whether request time is within acceptable skew time. utcNow := UTCNow() return !(requestTime.Sub(utcNow) > rpcSkewTimeAllowed || utcNow.Sub(requestTime) > rpcSkewTimeAllowed) } ``` Once the PR upstream is merged https://github.com/dgrijalva/jwt-go/pull/139 We can bring in support for leeway later. Fixes #5237 --- cmd/jwt.go | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/cmd/jwt.go b/cmd/jwt.go index e8da488dc..19eead653 100644 --- a/cmd/jwt.go +++ b/cmd/jwt.go @@ -63,14 +63,11 @@ func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string, return "", errAuthentication } - utcNow := UTCNow() - token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.StandardClaims{ - ExpiresAt: utcNow.Add(expiry).Unix(), - IssuedAt: utcNow.Unix(), + jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.StandardClaims{ + ExpiresAt: UTCNow().Add(expiry).Unix(), Subject: accessKey, }) - - return token.SignedString([]byte(serverCred.SecretKey)) + return jwt.SignedString([]byte(serverCred.SecretKey)) } func authenticateNode(accessKey, secretKey string) (string, error) { @@ -127,7 +124,7 @@ func webRequestAuthenticate(req *http.Request) error { return errAuthentication } if err = claims.Valid(); err != nil { - return err + return errAuthentication } if claims.Subject != globalServerConfig.GetCredential().AccessKey { return errInvalidAccessKeyID