From bc9ebba75f4c9eec19be1792990ef6455c245c85 Mon Sep 17 00:00:00 2001 From: Nishant Srivastava Date: Mon, 26 Feb 2024 12:08:05 +0100 Subject: [PATCH 1/2] Idtoken time skew (#1) * Skip issue time validation or change the allowed time skew Allows to completely disable ID tokens issue time validation, or change the default of 10 minutes to a custom allowed time skew in seconds. * Update documentation to change the allowed id token time skew --------- Co-authored-by: Tim Klingeleers --- README.md | 18 +++++- .../openid/appauth/AppAuthConfiguration.java | 48 +++++++++++++++- .../openid/appauth/AuthorizationService.java | 16 +++++- library/java/net/openid/appauth/IdToken.java | 23 +++++--- .../net/openid/appauth/IdTokenTest.java | 56 ++++++++++++++++++- 5 files changed, 145 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 1c283f44..569ac275 100644 --- a/README.md +++ b/README.md @@ -619,7 +619,7 @@ AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder() ID Token validation was introduced in `0.8.0` but not all authorization servers or configurations support it correctly. -- For testing environments [setSkipIssuerHttpsCheck](https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/AppAuthConfiguration.java#L129) can be used to bypass the fact the issuer needs to be HTTPS. +- For testing environments [setSkipIssuerHttpsCheck](https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/AppAuthConfiguration.java#L143) can be used to bypass the fact the issuer needs to be HTTPS. ```java AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder() @@ -635,6 +635,22 @@ AuthorizationRequest authRequest = authRequestBuilder .build(); ``` +- To change the default allowed time skew of 10 minutes for the issue time, [setAllowedIssueTimeSkew](https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/AppAuthConfiguration.java#L159) can be used. + +```java +AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder() + .setAllowedIssueTimeSkew(THIRTY_MINUTES_IN_SECONDS) + .build() +``` + +- For testing environments [setSkipIssueTimeValidation](https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/AppAuthConfiguration.java#L151) can be used to bypass the issue time validation. + +```java +AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder() + .setSkipIssueTimeValidation(true) + .build() +``` + ## Dynamic client registration AppAuth supports the diff --git a/library/java/net/openid/appauth/AppAuthConfiguration.java b/library/java/net/openid/appauth/AppAuthConfiguration.java index 313541df..5e6f8946 100644 --- a/library/java/net/openid/appauth/AppAuthConfiguration.java +++ b/library/java/net/openid/appauth/AppAuthConfiguration.java @@ -42,13 +42,21 @@ public class AppAuthConfiguration { private final boolean mSkipIssuerHttpsCheck; + private final boolean mSkipIssueTimeValidation; + + private final Long mAllowedIssueTimeSkew; + private AppAuthConfiguration( @NonNull BrowserMatcher browserMatcher, @NonNull ConnectionBuilder connectionBuilder, - Boolean skipIssuerHttpsCheck) { + Boolean skipIssuerHttpsCheck, + Boolean skipIssueTimeValidation, + Long allowedIssueTimeSkew) { mBrowserMatcher = browserMatcher; mConnectionBuilder = connectionBuilder; mSkipIssuerHttpsCheck = skipIssuerHttpsCheck; + mSkipIssueTimeValidation = skipIssueTimeValidation; + mAllowedIssueTimeSkew = allowedIssueTimeSkew; } /** @@ -76,6 +84,22 @@ public ConnectionBuilder getConnectionBuilder() { */ public boolean getSkipIssuerHttpsCheck() { return mSkipIssuerHttpsCheck; } + /** + * Returns true if the ID token issue time validation is disables, + * otherwise false. + * + * @see Builder#setSkipIssueTimeValidation(Boolean) + */ + public boolean getSkipIssueTimeValidation() { return mSkipIssueTimeValidation; } + + /** + * Returns the time in seconds that the ID token issue time is allowed to be + * skewed. + * + * @see Builder#setAllowedIssueTimeSkew(Long) + */ + public Long getAllowedIssueTimeSkew() { return mAllowedIssueTimeSkew; } + /** * Creates {@link AppAuthConfiguration} instances. */ @@ -84,6 +108,8 @@ public static class Builder { private BrowserMatcher mBrowserMatcher = AnyBrowserMatcher.INSTANCE; private ConnectionBuilder mConnectionBuilder = DefaultConnectionBuilder.INSTANCE; private boolean mSkipIssuerHttpsCheck; + private boolean mSkipIssueTimeValidation; + private Long mAllowedIssueTimeSkew; private boolean mSkipNonceVerification; /** @@ -119,6 +145,22 @@ public Builder setSkipIssuerHttpsCheck(Boolean skipIssuerHttpsCheck) { return this; } + /** + * Disables issue time validation for the id token. + */ + public Builder setSkipIssueTimeValidation(Boolean skipIssueTimeValidation) { + mSkipIssueTimeValidation = skipIssueTimeValidation; + return this; + } + + /** + * Sets the allowed time skew in seconds for id token issue time validation. + */ + public Builder setAllowedIssueTimeSkew(Long allowedIssueTimeSkew) { + mAllowedIssueTimeSkew = allowedIssueTimeSkew; + return this; + } + /** * Creates the instance from the configured properties. */ @@ -127,7 +169,9 @@ public AppAuthConfiguration build() { return new AppAuthConfiguration( mBrowserMatcher, mConnectionBuilder, - mSkipIssuerHttpsCheck + mSkipIssuerHttpsCheck, + mSkipIssueTimeValidation, + mAllowedIssueTimeSkew ); } diff --git a/library/java/net/openid/appauth/AuthorizationService.java b/library/java/net/openid/appauth/AuthorizationService.java index b3bdf7ed..56f59f0e 100644 --- a/library/java/net/openid/appauth/AuthorizationService.java +++ b/library/java/net/openid/appauth/AuthorizationService.java @@ -506,7 +506,9 @@ public void performTokenRequest( mClientConfiguration.getConnectionBuilder(), SystemClock.INSTANCE, callback, - mClientConfiguration.getSkipIssuerHttpsCheck()) + mClientConfiguration.getSkipIssuerHttpsCheck(), + mClientConfiguration.getSkipIssueTimeValidation(), + mClientConfiguration.getAllowedIssueTimeSkew()) .execute(); } @@ -585,6 +587,8 @@ private static class TokenRequestTask private TokenResponseCallback mCallback; private Clock mClock; private boolean mSkipIssuerHttpsCheck; + private boolean mSkipIssueTimeValidation; + private Long mAllowedIssueTimeSkew; private AuthorizationException mException; @@ -593,13 +597,17 @@ private static class TokenRequestTask @NonNull ConnectionBuilder connectionBuilder, Clock clock, TokenResponseCallback callback, - Boolean skipIssuerHttpsCheck) { + Boolean skipIssuerHttpsCheck, + Boolean skipissueTimeValidation, + Long allowedIssueTimeSkew) { mRequest = request; mClientAuthentication = clientAuthentication; mConnectionBuilder = connectionBuilder; mClock = clock; mCallback = callback; mSkipIssuerHttpsCheck = skipIssuerHttpsCheck; + mSkipIssueTimeValidation = skipissueTimeValidation; + mAllowedIssueTimeSkew = allowedIssueTimeSkew; } @Override @@ -710,7 +718,9 @@ protected void onPostExecute(JSONObject json) { idToken.validate( mRequest, mClock, - mSkipIssuerHttpsCheck + mSkipIssuerHttpsCheck, + mSkipIssueTimeValidation, + mAllowedIssueTimeSkew ); } catch (AuthorizationException ex) { mCallback.onTokenRequestCompleted(null, ex); diff --git a/library/java/net/openid/appauth/IdToken.java b/library/java/net/openid/appauth/IdToken.java index 4a4556ef..96817170 100644 --- a/library/java/net/openid/appauth/IdToken.java +++ b/library/java/net/openid/appauth/IdToken.java @@ -204,12 +204,14 @@ static IdToken from(String token) throws JSONException, IdTokenException { @VisibleForTesting void validate(@NonNull TokenRequest tokenRequest, Clock clock) throws AuthorizationException { - validate(tokenRequest, clock, false); + validate(tokenRequest, clock, false, false, null); } void validate(@NonNull TokenRequest tokenRequest, Clock clock, - boolean skipIssuerHttpsCheck) throws AuthorizationException { + boolean skipIssuerHttpsCheck, + boolean skipIssueTimeValidation, + @Nullable Long allowedIssueTimeSkew) throws AuthorizationException { // OpenID Connect Core Section 3.1.3.7. rule #1 // Not enforced: AppAuth does not support JWT encryption. @@ -276,13 +278,16 @@ void validate(@NonNull TokenRequest tokenRequest, new IdTokenException("ID Token expired")); } - // OpenID Connect Core Section 3.1.3.7. rule #10 - // Validates that the issued at time is not more than +/- 10 minutes on the current - // time. - if (Math.abs(nowInSeconds - this.issuedAt) > TEN_MINUTES_IN_SECONDS) { - throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR, - new IdTokenException("Issued at time is more than 10 minutes " - + "before or after the current time")); + + if (!skipIssueTimeValidation) { + // OpenID Connect Core Section 3.1.3.7. rule #10 + // Validates that the issued at time is not more than the +/- configured allowed time skew, + // or +/- 10 minutes as a default, on the current time. + if (Math.abs(nowInSeconds - this.issuedAt) > (allowedIssueTimeSkew == null ? TEN_MINUTES_IN_SECONDS : allowedIssueTimeSkew)) { + throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR, + new IdTokenException("Issued at time is more than 10 minutes " + + "before or after the current time")); + } } // Only relevant for the authorization_code response type diff --git a/library/javatests/net/openid/appauth/IdTokenTest.java b/library/javatests/net/openid/appauth/IdTokenTest.java index 13944f7c..7b5a679e 100644 --- a/library/javatests/net/openid/appauth/IdTokenTest.java +++ b/library/javatests/net/openid/appauth/IdTokenTest.java @@ -272,7 +272,7 @@ public void testValidate_shouldSkipNonHttpsIssuer() .setRedirectUri(TEST_APP_REDIRECT_URI) .build(); Clock clock = SystemClock.INSTANCE; - idToken.validate(tokenRequest, clock, true); + idToken.validate(tokenRequest, clock, true, false, null); } @Test(expected = AuthorizationException.class) @@ -464,6 +464,60 @@ public void testValidate_shouldFailOnIssuedAtOverTenMinutesAgo() throws Authoriz idToken.validate(tokenRequest, clock); } + @Test + public void testValidate_withSkipIssueTimeValidation() throws AuthorizationException { + Long nowInSeconds = SystemClock.INSTANCE.getCurrentTimeMillis() / 1000; + Long anHourInSeconds = (long) (60 * 60); + IdToken idToken = new IdToken( + TEST_ISSUER, + TEST_SUBJECT, + Collections.singletonList(TEST_CLIENT_ID), + nowInSeconds, + nowInSeconds - (anHourInSeconds * 2), + TEST_NONCE, + TEST_CLIENT_ID + ); + TokenRequest tokenRequest = getAuthCodeExchangeRequestWithNonce(); + Clock clock = SystemClock.INSTANCE; + idToken.validate(tokenRequest, clock, false, true, null); + } + + @Test(expected = AuthorizationException.class) + public void testValidate_shouldFailOnIssuedAtOverConfiguredTimeSkew() throws AuthorizationException { + Long nowInSeconds = SystemClock.INSTANCE.getCurrentTimeMillis() / 1000; + Long anHourInSeconds = (long) (60 * 60); + IdToken idToken = new IdToken( + TEST_ISSUER, + TEST_SUBJECT, + Collections.singletonList(TEST_CLIENT_ID), + nowInSeconds, + nowInSeconds - anHourInSeconds - 1, + TEST_NONCE, + TEST_CLIENT_ID + ); + TokenRequest tokenRequest = getAuthCodeExchangeRequestWithNonce(); + Clock clock = SystemClock.INSTANCE; + idToken.validate(tokenRequest, clock, false, false, anHourInSeconds); + } + + @Test + public void testValidate_withConfiguredTimeSkew() throws AuthorizationException { + Long nowInSeconds = SystemClock.INSTANCE.getCurrentTimeMillis() / 1000; + Long anHourInSeconds = (long) (60 * 60); + IdToken idToken = new IdToken( + TEST_ISSUER, + TEST_SUBJECT, + Collections.singletonList(TEST_CLIENT_ID), + nowInSeconds, + nowInSeconds - anHourInSeconds, + TEST_NONCE, + TEST_CLIENT_ID + ); + TokenRequest tokenRequest = getAuthCodeExchangeRequestWithNonce(); + Clock clock = SystemClock.INSTANCE; + idToken.validate(tokenRequest, clock, false, false, anHourInSeconds); + } + @Test(expected = AuthorizationException.class) public void testValidate_shouldFailOnNonceMismatch() throws AuthorizationException { Long nowInSeconds = SystemClock.INSTANCE.getCurrentTimeMillis() / 1000; From 1437bde8955a9fd28f58cad9b86817a45d32877d Mon Sep 17 00:00:00 2001 From: Nishant Srivastava Date: Mon, 26 Feb 2024 12:08:10 +0100 Subject: [PATCH 2/2] Revert "Idtoken time skew (#1)" This reverts commit bc9ebba75f4c9eec19be1792990ef6455c245c85. --- README.md | 18 +----- .../openid/appauth/AppAuthConfiguration.java | 48 +--------------- .../openid/appauth/AuthorizationService.java | 16 +----- library/java/net/openid/appauth/IdToken.java | 23 +++----- .../net/openid/appauth/IdTokenTest.java | 56 +------------------ 5 files changed, 16 insertions(+), 145 deletions(-) diff --git a/README.md b/README.md index 569ac275..1c283f44 100644 --- a/README.md +++ b/README.md @@ -619,7 +619,7 @@ AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder() ID Token validation was introduced in `0.8.0` but not all authorization servers or configurations support it correctly. -- For testing environments [setSkipIssuerHttpsCheck](https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/AppAuthConfiguration.java#L143) can be used to bypass the fact the issuer needs to be HTTPS. +- For testing environments [setSkipIssuerHttpsCheck](https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/AppAuthConfiguration.java#L129) can be used to bypass the fact the issuer needs to be HTTPS. ```java AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder() @@ -635,22 +635,6 @@ AuthorizationRequest authRequest = authRequestBuilder .build(); ``` -- To change the default allowed time skew of 10 minutes for the issue time, [setAllowedIssueTimeSkew](https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/AppAuthConfiguration.java#L159) can be used. - -```java -AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder() - .setAllowedIssueTimeSkew(THIRTY_MINUTES_IN_SECONDS) - .build() -``` - -- For testing environments [setSkipIssueTimeValidation](https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/AppAuthConfiguration.java#L151) can be used to bypass the issue time validation. - -```java -AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder() - .setSkipIssueTimeValidation(true) - .build() -``` - ## Dynamic client registration AppAuth supports the diff --git a/library/java/net/openid/appauth/AppAuthConfiguration.java b/library/java/net/openid/appauth/AppAuthConfiguration.java index 5e6f8946..313541df 100644 --- a/library/java/net/openid/appauth/AppAuthConfiguration.java +++ b/library/java/net/openid/appauth/AppAuthConfiguration.java @@ -42,21 +42,13 @@ public class AppAuthConfiguration { private final boolean mSkipIssuerHttpsCheck; - private final boolean mSkipIssueTimeValidation; - - private final Long mAllowedIssueTimeSkew; - private AppAuthConfiguration( @NonNull BrowserMatcher browserMatcher, @NonNull ConnectionBuilder connectionBuilder, - Boolean skipIssuerHttpsCheck, - Boolean skipIssueTimeValidation, - Long allowedIssueTimeSkew) { + Boolean skipIssuerHttpsCheck) { mBrowserMatcher = browserMatcher; mConnectionBuilder = connectionBuilder; mSkipIssuerHttpsCheck = skipIssuerHttpsCheck; - mSkipIssueTimeValidation = skipIssueTimeValidation; - mAllowedIssueTimeSkew = allowedIssueTimeSkew; } /** @@ -84,22 +76,6 @@ public ConnectionBuilder getConnectionBuilder() { */ public boolean getSkipIssuerHttpsCheck() { return mSkipIssuerHttpsCheck; } - /** - * Returns true if the ID token issue time validation is disables, - * otherwise false. - * - * @see Builder#setSkipIssueTimeValidation(Boolean) - */ - public boolean getSkipIssueTimeValidation() { return mSkipIssueTimeValidation; } - - /** - * Returns the time in seconds that the ID token issue time is allowed to be - * skewed. - * - * @see Builder#setAllowedIssueTimeSkew(Long) - */ - public Long getAllowedIssueTimeSkew() { return mAllowedIssueTimeSkew; } - /** * Creates {@link AppAuthConfiguration} instances. */ @@ -108,8 +84,6 @@ public static class Builder { private BrowserMatcher mBrowserMatcher = AnyBrowserMatcher.INSTANCE; private ConnectionBuilder mConnectionBuilder = DefaultConnectionBuilder.INSTANCE; private boolean mSkipIssuerHttpsCheck; - private boolean mSkipIssueTimeValidation; - private Long mAllowedIssueTimeSkew; private boolean mSkipNonceVerification; /** @@ -145,22 +119,6 @@ public Builder setSkipIssuerHttpsCheck(Boolean skipIssuerHttpsCheck) { return this; } - /** - * Disables issue time validation for the id token. - */ - public Builder setSkipIssueTimeValidation(Boolean skipIssueTimeValidation) { - mSkipIssueTimeValidation = skipIssueTimeValidation; - return this; - } - - /** - * Sets the allowed time skew in seconds for id token issue time validation. - */ - public Builder setAllowedIssueTimeSkew(Long allowedIssueTimeSkew) { - mAllowedIssueTimeSkew = allowedIssueTimeSkew; - return this; - } - /** * Creates the instance from the configured properties. */ @@ -169,9 +127,7 @@ public AppAuthConfiguration build() { return new AppAuthConfiguration( mBrowserMatcher, mConnectionBuilder, - mSkipIssuerHttpsCheck, - mSkipIssueTimeValidation, - mAllowedIssueTimeSkew + mSkipIssuerHttpsCheck ); } diff --git a/library/java/net/openid/appauth/AuthorizationService.java b/library/java/net/openid/appauth/AuthorizationService.java index 56f59f0e..b3bdf7ed 100644 --- a/library/java/net/openid/appauth/AuthorizationService.java +++ b/library/java/net/openid/appauth/AuthorizationService.java @@ -506,9 +506,7 @@ public void performTokenRequest( mClientConfiguration.getConnectionBuilder(), SystemClock.INSTANCE, callback, - mClientConfiguration.getSkipIssuerHttpsCheck(), - mClientConfiguration.getSkipIssueTimeValidation(), - mClientConfiguration.getAllowedIssueTimeSkew()) + mClientConfiguration.getSkipIssuerHttpsCheck()) .execute(); } @@ -587,8 +585,6 @@ private static class TokenRequestTask private TokenResponseCallback mCallback; private Clock mClock; private boolean mSkipIssuerHttpsCheck; - private boolean mSkipIssueTimeValidation; - private Long mAllowedIssueTimeSkew; private AuthorizationException mException; @@ -597,17 +593,13 @@ private static class TokenRequestTask @NonNull ConnectionBuilder connectionBuilder, Clock clock, TokenResponseCallback callback, - Boolean skipIssuerHttpsCheck, - Boolean skipissueTimeValidation, - Long allowedIssueTimeSkew) { + Boolean skipIssuerHttpsCheck) { mRequest = request; mClientAuthentication = clientAuthentication; mConnectionBuilder = connectionBuilder; mClock = clock; mCallback = callback; mSkipIssuerHttpsCheck = skipIssuerHttpsCheck; - mSkipIssueTimeValidation = skipissueTimeValidation; - mAllowedIssueTimeSkew = allowedIssueTimeSkew; } @Override @@ -718,9 +710,7 @@ protected void onPostExecute(JSONObject json) { idToken.validate( mRequest, mClock, - mSkipIssuerHttpsCheck, - mSkipIssueTimeValidation, - mAllowedIssueTimeSkew + mSkipIssuerHttpsCheck ); } catch (AuthorizationException ex) { mCallback.onTokenRequestCompleted(null, ex); diff --git a/library/java/net/openid/appauth/IdToken.java b/library/java/net/openid/appauth/IdToken.java index 96817170..4a4556ef 100644 --- a/library/java/net/openid/appauth/IdToken.java +++ b/library/java/net/openid/appauth/IdToken.java @@ -204,14 +204,12 @@ static IdToken from(String token) throws JSONException, IdTokenException { @VisibleForTesting void validate(@NonNull TokenRequest tokenRequest, Clock clock) throws AuthorizationException { - validate(tokenRequest, clock, false, false, null); + validate(tokenRequest, clock, false); } void validate(@NonNull TokenRequest tokenRequest, Clock clock, - boolean skipIssuerHttpsCheck, - boolean skipIssueTimeValidation, - @Nullable Long allowedIssueTimeSkew) throws AuthorizationException { + boolean skipIssuerHttpsCheck) throws AuthorizationException { // OpenID Connect Core Section 3.1.3.7. rule #1 // Not enforced: AppAuth does not support JWT encryption. @@ -278,16 +276,13 @@ void validate(@NonNull TokenRequest tokenRequest, new IdTokenException("ID Token expired")); } - - if (!skipIssueTimeValidation) { - // OpenID Connect Core Section 3.1.3.7. rule #10 - // Validates that the issued at time is not more than the +/- configured allowed time skew, - // or +/- 10 minutes as a default, on the current time. - if (Math.abs(nowInSeconds - this.issuedAt) > (allowedIssueTimeSkew == null ? TEN_MINUTES_IN_SECONDS : allowedIssueTimeSkew)) { - throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR, - new IdTokenException("Issued at time is more than 10 minutes " - + "before or after the current time")); - } + // OpenID Connect Core Section 3.1.3.7. rule #10 + // Validates that the issued at time is not more than +/- 10 minutes on the current + // time. + if (Math.abs(nowInSeconds - this.issuedAt) > TEN_MINUTES_IN_SECONDS) { + throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR, + new IdTokenException("Issued at time is more than 10 minutes " + + "before or after the current time")); } // Only relevant for the authorization_code response type diff --git a/library/javatests/net/openid/appauth/IdTokenTest.java b/library/javatests/net/openid/appauth/IdTokenTest.java index 7b5a679e..13944f7c 100644 --- a/library/javatests/net/openid/appauth/IdTokenTest.java +++ b/library/javatests/net/openid/appauth/IdTokenTest.java @@ -272,7 +272,7 @@ public void testValidate_shouldSkipNonHttpsIssuer() .setRedirectUri(TEST_APP_REDIRECT_URI) .build(); Clock clock = SystemClock.INSTANCE; - idToken.validate(tokenRequest, clock, true, false, null); + idToken.validate(tokenRequest, clock, true); } @Test(expected = AuthorizationException.class) @@ -464,60 +464,6 @@ public void testValidate_shouldFailOnIssuedAtOverTenMinutesAgo() throws Authoriz idToken.validate(tokenRequest, clock); } - @Test - public void testValidate_withSkipIssueTimeValidation() throws AuthorizationException { - Long nowInSeconds = SystemClock.INSTANCE.getCurrentTimeMillis() / 1000; - Long anHourInSeconds = (long) (60 * 60); - IdToken idToken = new IdToken( - TEST_ISSUER, - TEST_SUBJECT, - Collections.singletonList(TEST_CLIENT_ID), - nowInSeconds, - nowInSeconds - (anHourInSeconds * 2), - TEST_NONCE, - TEST_CLIENT_ID - ); - TokenRequest tokenRequest = getAuthCodeExchangeRequestWithNonce(); - Clock clock = SystemClock.INSTANCE; - idToken.validate(tokenRequest, clock, false, true, null); - } - - @Test(expected = AuthorizationException.class) - public void testValidate_shouldFailOnIssuedAtOverConfiguredTimeSkew() throws AuthorizationException { - Long nowInSeconds = SystemClock.INSTANCE.getCurrentTimeMillis() / 1000; - Long anHourInSeconds = (long) (60 * 60); - IdToken idToken = new IdToken( - TEST_ISSUER, - TEST_SUBJECT, - Collections.singletonList(TEST_CLIENT_ID), - nowInSeconds, - nowInSeconds - anHourInSeconds - 1, - TEST_NONCE, - TEST_CLIENT_ID - ); - TokenRequest tokenRequest = getAuthCodeExchangeRequestWithNonce(); - Clock clock = SystemClock.INSTANCE; - idToken.validate(tokenRequest, clock, false, false, anHourInSeconds); - } - - @Test - public void testValidate_withConfiguredTimeSkew() throws AuthorizationException { - Long nowInSeconds = SystemClock.INSTANCE.getCurrentTimeMillis() / 1000; - Long anHourInSeconds = (long) (60 * 60); - IdToken idToken = new IdToken( - TEST_ISSUER, - TEST_SUBJECT, - Collections.singletonList(TEST_CLIENT_ID), - nowInSeconds, - nowInSeconds - anHourInSeconds, - TEST_NONCE, - TEST_CLIENT_ID - ); - TokenRequest tokenRequest = getAuthCodeExchangeRequestWithNonce(); - Clock clock = SystemClock.INSTANCE; - idToken.validate(tokenRequest, clock, false, false, anHourInSeconds); - } - @Test(expected = AuthorizationException.class) public void testValidate_shouldFailOnNonceMismatch() throws AuthorizationException { Long nowInSeconds = SystemClock.INSTANCE.getCurrentTimeMillis() / 1000;