Tolerating a 5 minute clock skew when verifying JWTs

hiranya911 · hiranya911 · commit 7538ebd9b3e9 · 2019-02-26T15:26:55.000-08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Unreleased
 
--
+- [fixed] The `VerifyIdToken()Async` function fnow tolerates a clock skew of up to
+  5 minutes when comparing JWT timestamps.
 
 # v1.2.0
 
diff --git a/FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseTokenVerifierTest.cs b/FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseTokenVerifierTest.cs
@@ -30,6 +30,8 @@ namespace FirebaseAdmin.Auth.Tests
 {
     public class FirebaseTokenVerifierTest : IDisposable
     {
+        private const long ClockSkewSeconds = 5 * 60;
+
         private static readonly IPublicKeySource KeySource = new FileSystemPublicKeySource(
             "./resources/public_cert.pem");
 
@@ -132,25 +134,57 @@ public async Task Expired()
         {
             var payload = new Dictionary<string, object>()
             {
-                { "exp", Clock.UnixTimestamp() - 60 },
+                { "exp", Clock.UnixTimestamp() - (ClockSkewSeconds + 1) },
             };
             var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
             await Assert.ThrowsAsync<FirebaseException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
         }
 
+        [Fact]
+        public async Task ExpiryTimeInAcceptableRange()
+        {
+            var expiryTimeSeconds = Clock.UnixTimestamp() - ClockSkewSeconds;
+            var payload = new Dictionary<string, object>()
+            {
+                { "exp", expiryTimeSeconds },
+            };
+            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
+
+            var decoded = await TokenVerifier.VerifyTokenAsync(idToken);
+
+            Assert.Equal("testuser", decoded.Uid);
+            Assert.Equal(expiryTimeSeconds, decoded.ExpirationTimeSeconds);
+        }
+
         [Fact]
         public async Task InvalidIssuedAt()
         {
             var payload = new Dictionary<string, object>()
             {
-                { "iat", Clock.UnixTimestamp() + 60 },
+                { "iat", Clock.UnixTimestamp() + (ClockSkewSeconds + 1) },
             };
             var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
             await Assert.ThrowsAsync<FirebaseException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
         }
 
+        [Fact]
+        public async Task IssuedAtInAcceptableRange()
+        {
+            var issuedAtSeconds = Clock.UnixTimestamp() + ClockSkewSeconds;
+            var payload = new Dictionary<string, object>()
+            {
+                { "iat", issuedAtSeconds },
+            };
+            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
+
+            var decoded = await TokenVerifier.VerifyTokenAsync(idToken);
+
+            Assert.Equal("testuser", decoded.Uid);
+            Assert.Equal(issuedAtSeconds, decoded.IssuedAtTimeSeconds);
+        }
+
         [Fact]
         public async Task InvalidIssuer()
         {
diff --git a/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenVerifier.cs b/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenVerifier.cs
@@ -38,6 +38,8 @@ internal sealed class FirebaseTokenVerifier
         private const string FirebaseAudience = "https://identitytoolkit.googleapis.com/"
             + "google.identity.identitytoolkit.v1.IdentityToolkit";
 
+        private const long ClockSkewSeconds = 5 * 60;
+
         // See http://oid-info.com/get/2.16.840.1.101.3.4.2.1
         private const string Sha256Oid = "2.16.840.1.101.3.4.2.1";
 
@@ -120,6 +122,8 @@ internal async Task<FirebaseToken> VerifyTokenAsync(
                 + $"{this.shortName}.";
             var issuer = this.issuer + this.ProjectId;
             string error = null;
+            var currentTimeInSeconds = this.clock.UnixTimestamp();
+
             if (string.IsNullOrEmpty(header.KeyId))
             {
                 if (payload.Audience == FirebaseAudience)
@@ -152,13 +156,16 @@ internal async Task<FirebaseToken> VerifyTokenAsync(
                 error = $"{this.shortName} has incorrect issuer (iss) claim. Expected {issuer} but "
                     + $"got {payload.Issuer}.  {projectIdMessage} {verifyTokenMessage}";
             }
-            else if (payload.IssuedAtTimeSeconds > this.clock.UnixTimestamp())
+            else if (payload.IssuedAtTimeSeconds - ClockSkewSeconds > currentTimeInSeconds)
             {
-                error = $"Firebase {this.shortName} issued at future timestamp";
+                error = $"Firebase {this.shortName} issued at future timestamp "
+                    + $"{payload.IssuedAtTimeSeconds}. Expected to be greater than "
+                    + $"{currentTimeInSeconds}.";
             }
-            else if (payload.ExpirationTimeSeconds < this.clock.UnixTimestamp())
+            else if (payload.ExpirationTimeSeconds + ClockSkewSeconds < currentTimeInSeconds)
             {
-                error = $"Firebase {this.shortName} expired at {payload.ExpirationTimeSeconds}";
+                error = $"Firebase {this.shortName} expired at {payload.ExpirationTimeSeconds}. "
+                    + $" Expected to be less than ${currentTimeInSeconds}.";
             }
             else if (string.IsNullOrEmpty(payload.Subject))
             {

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,8 @@ internal sealed class FirebaseTokenVerifier`
`38`	`38`	`private const string FirebaseAudience = "https://identitytoolkit.googleapis.com/"`
`39`	`39`	`+ "google.identity.identitytoolkit.v1.IdentityToolkit";`
`40`	`40`
	`41`	`+ private const long ClockSkewSeconds = 5 * 60;`
	`42`	`+`
`41`	`43`	`// See http://oid-info.com/get/2.16.840.1.101.3.4.2.1`
`42`	`44`	`private const string Sha256Oid = "2.16.840.1.101.3.4.2.1";`
`43`	`45`
`@@ -120,6 +122,8 @@ internal async Task<FirebaseToken> VerifyTokenAsync(`
`120`	`122`	`+ $"{this.shortName}.";`
`121`	`123`	`var issuer = this.issuer + this.ProjectId;`
`122`	`124`	`string error = null;`
	`125`	`+ var currentTimeInSeconds = this.clock.UnixTimestamp();`
	`126`	`+`
`123`	`127`	`if (string.IsNullOrEmpty(header.KeyId))`
`124`	`128`	`{`
`125`	`129`	`if (payload.Audience == FirebaseAudience)`
`@@ -152,13 +156,16 @@ internal async Task<FirebaseToken> VerifyTokenAsync(`
`152`	`156`	`error = $"{this.shortName} has incorrect issuer (iss) claim. Expected {issuer} but "`
`153`	`157`	`+ $"got {payload.Issuer}. {projectIdMessage} {verifyTokenMessage}";`
`154`	`158`	`}`
`155`		`- else if (payload.IssuedAtTimeSeconds > this.clock.UnixTimestamp())`
	`159`	`+ else if (payload.IssuedAtTimeSeconds - ClockSkewSeconds > currentTimeInSeconds)`
`156`	`160`	`{`
`157`		`- error = $"Firebase {this.shortName} issued at future timestamp";`
	`161`	`+ error = $"Firebase {this.shortName} issued at future timestamp "`
	`162`	`+ + $"{payload.IssuedAtTimeSeconds}. Expected to be greater than "`
	`163`	`+ + $"{currentTimeInSeconds}.";`
`158`	`164`	`}`
`159`		`- else if (payload.ExpirationTimeSeconds < this.clock.UnixTimestamp())`
	`165`	`+ else if (payload.ExpirationTimeSeconds + ClockSkewSeconds < currentTimeInSeconds)`
`160`	`166`	`{`
`161`		`- error = $"Firebase {this.shortName} expired at {payload.ExpirationTimeSeconds}";`
	`167`	`+ error = $"Firebase {this.shortName} expired at {payload.ExpirationTimeSeconds}. "`
	`168`	`+ + $" Expected to be less than ${currentTimeInSeconds}.";`
`162`	`169`	`}`
`163`	`170`	`else if (string.IsNullOrEmpty(payload.Subject))`
`164`	`171`	`{`