Merge pull request #29 from firebase/hkj-clock-skew

 Tolerating a 5 minute clock skew when verifying JWTs

Author: hiranya911

CHANGELOG.md

@@ -1,6 +1,7 @@
 # Unreleased
 
--
+- [fixed] The `VerifyIdTokenAsync()` function now tolerates a clock skew of up
+  to 5 minutes when comparing JWT timestamps.
 
 # v1.2.0
 

FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseTokenVerifierTest.cs

@@ -30,6 +30,8 @@ namespace FirebaseAdmin.Auth.Tests
 {
     public class FirebaseTokenVerifierTest : IDisposable
     {
+        private const long ClockSkewSeconds = 5 * 60;
+
         private static readonly IPublicKeySource KeySource = new FileSystemPublicKeySource(
             "./resources/public_cert.pem");
 
@@ -130,25 +132,65 @@ await Assert.ThrowsAsync<FirebaseException>(
         [Fact]
         public async Task Expired()
         {
+            var expiryTime = Clock.UnixTimestamp() - (ClockSkewSeconds + 1);
             var payload = new Dictionary<string, object>()
             {
-                { "exp", Clock.UnixTimestamp() - 60 },
+                { "exp", expiryTime },
             };
             var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            await Assert.ThrowsAsync<FirebaseException>(
+            var exception = await Assert.ThrowsAsync<FirebaseException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
+            var expectedMessage = $"Firebase ID token expired at {expiryTime}. "
+                + $"Expected to be greater than {Clock.UnixTimestamp()}.";
+            Assert.Equal(expectedMessage, exception.Message);
+        }
+
+        [Fact]
+        public async Task ExpiryTimeInAcceptableRange()
+        {
+            var expiryTimeSeconds = Clock.UnixTimestamp() - ClockSkewSeconds;
+            var payload = new Dictionary<string, object>()
+            {
+                { "exp", expiryTimeSeconds },
+            };
+            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
+
+            var decoded = await TokenVerifier.VerifyTokenAsync(idToken);
+
+            Assert.Equal("testuser", decoded.Uid);
+            Assert.Equal(expiryTimeSeconds, decoded.ExpirationTimeSeconds);
         }
 
         [Fact]
         public async Task InvalidIssuedAt()
         {
+            var issuedAt = Clock.UnixTimestamp() + (ClockSkewSeconds + 1);
             var payload = new Dictionary<string, object>()
             {
-                { "iat", Clock.UnixTimestamp() + 60 },
+                { "iat", issuedAt },
             };
             var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            await Assert.ThrowsAsync<FirebaseException>(
+            var exception = await Assert.ThrowsAsync<FirebaseException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
+            var expectedMessage = $"Firebase ID token issued at future timestamp {issuedAt}. "
+                + $"Expected to be less than {Clock.UnixTimestamp()}.";
+            Assert.Equal(expectedMessage, exception.Message);
+        }
+
+        [Fact]
+        public async Task IssuedAtInAcceptableRange()
+        {
+            var issuedAtSeconds = Clock.UnixTimestamp() + ClockSkewSeconds;
+            var payload = new Dictionary<string, object>()
+            {
+                { "iat", issuedAtSeconds },
+            };
+            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
+
+            var decoded = await TokenVerifier.VerifyTokenAsync(idToken);
+
+            Assert.Equal("testuser", decoded.Uid);
+            Assert.Equal(issuedAtSeconds, decoded.IssuedAtTimeSeconds);
         }
 
         [Fact]

FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenVerifier.cs

@@ -38,6 +38,8 @@ internal sealed class FirebaseTokenVerifier
         private const string FirebaseAudience = "https://identitytoolkit.googleapis.com/"
             + "google.identity.identitytoolkit.v1.IdentityToolkit";
 
+        private const long ClockSkewSeconds = 5 * 60;
+
         // See http://oid-info.com/get/2.16.840.1.101.3.4.2.1
         private const string Sha256Oid = "2.16.840.1.101.3.4.2.1";
 
@@ -120,6 +122,8 @@ internal async Task<FirebaseToken> VerifyTokenAsync(
                 + $"{this.shortName}.";
             var issuer = this.issuer + this.ProjectId;
             string error = null;
+            var currentTimeInSeconds = this.clock.UnixTimestamp();
+
             if (string.IsNullOrEmpty(header.KeyId))
             {
                 if (payload.Audience == FirebaseAudience)
@@ -152,13 +156,16 @@ internal async Task<FirebaseToken> VerifyTokenAsync(
                 error = $"{this.shortName} has incorrect issuer (iss) claim. Expected {issuer} but "
                     + $"got {payload.Issuer}.  {projectIdMessage} {verifyTokenMessage}";
             }
-            else if (payload.IssuedAtTimeSeconds > this.clock.UnixTimestamp())
+            else if (payload.IssuedAtTimeSeconds - ClockSkewSeconds > currentTimeInSeconds)
             {
-                error = $"Firebase {this.shortName} issued at future timestamp";
+                error = $"Firebase {this.shortName} issued at future timestamp "
+                    + $"{payload.IssuedAtTimeSeconds}. Expected to be less than "
+                    + $"{currentTimeInSeconds}.";
             }
-            else if (payload.ExpirationTimeSeconds < this.clock.UnixTimestamp())
+            else if (payload.ExpirationTimeSeconds + ClockSkewSeconds < currentTimeInSeconds)
             {
-                error = $"Firebase {this.shortName} expired at {payload.ExpirationTimeSeconds}";
+                error = $"Firebase {this.shortName} expired at {payload.ExpirationTimeSeconds}. "
+                    + $"Expected to be greater than {currentTimeInSeconds}.";
             }
             else if (string.IsNullOrEmpty(payload.Subject))
             {