feat(jwt): remove code that deals with exp and iat fields

WE2-584

Signed-off-by: Mati Agukas <[email protected]>

Author: agukasm

src/WebEid.Security.Tests/TestUtils/AuthTokenValidators.cs

@@ -25,7 +25,6 @@ public static IAuthTokenValidator GetAuthTokenValidator(string url, ICache<DateT
         {
             return GetAuthTokenValidatorBuilder(url, cache, certificates)
                 // Assure that all builder methods are covered with tests.
-                .WithAllowedClientClockSkew(TimeSpan.FromMinutes(2))
                 .WithOcspRequestTimeout(TimeSpan.FromSeconds(1))
                 .WithNonceDisabledOcspUrls(new Uri("http://example.org"))
                 .WithoutUserCertificateRevocationCheckWithOcsp()

src/WebEid.Security.Tests/TestUtils/Tokens.cs

@@ -7,6 +7,9 @@ internal static class Tokens
         public const string SignedTest =
             "eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFQXpDQ0EyV2dBd0lCQWdJUU9Xa0JXWE5ESm0xYnlGZDNYc1drdmpBS0JnZ3Foa2pPUFFRREJEQmdNUXN3Q1FZRFZRUUdFd0pGUlRFYk1Ca0dBMVVFQ2d3U1Uwc2dTVVFnVTI5c2RYUnBiMjV6SUVGVE1SY3dGUVlEVlFSaERBNU9WRkpGUlMweE1EYzBOekF4TXpFYk1Ca0dBMVVFQXd3U1ZFVlRWQ0J2WmlCRlUxUkZTVVF5TURFNE1CNFhEVEU0TVRBeE9EQTVOVEEwTjFvWERUSXpNVEF4TnpJeE5UazFPVm93ZnpFTE1Ba0dBMVVFQmhNQ1JVVXhLakFvQmdOVkJBTU1JVXJEbFVWUFVrY3NTa0ZCU3kxTFVrbFRWRXBCVGl3ek9EQXdNVEE0TlRjeE9ERVFNQTRHQTFVRUJBd0hTc09WUlU5U1J6RVdNQlFHQTFVRUtnd05Ta0ZCU3kxTFVrbFRWRXBCVGpFYU1CZ0dBMVVFQlJNUlVFNVBSVVV0TXpnd01ERXdPRFUzTVRnd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVI1azFsWHp2U2VJOU8vMXMxcFp2amhFVzhuSXRKb0cwRUJGeG1MRVk2UzdraTF2RjJRM1RFRHg2ZE56dEkxWHR4OTZjczhyNHpZVHdkaVFvRGc3azNkaVV1UjluVFdHeFFFTU8xRkRvNFk5ZkFtaVBHV1QrK0d1T1ZvWlFZM1h4aWpnZ0hETUlJQnZ6QUpCZ05WSFJNRUFqQUFNQTRHQTFVZER3RUIvd1FFQXdJRGlEQkhCZ05WSFNBRVFEQStNRElHQ3lzR0FRUUJnNUVoQVFJQk1DTXdJUVlJS3dZQkJRVUhBZ0VXRldoMGRIQnpPaTh2ZDNkM0xuTnJMbVZsTDBOUVV6QUlCZ1lFQUk5NkFRSXdId1lEVlIwUkJCZ3dGb0VVTXpnd01ERXdPRFUzTVRoQVpXVnpkR2t1WldVd0hRWURWUjBPQkJZRUZPUXN2VFFKRUJWTU1TbWh5Wlg1YmliWUp1YkFNR0VHQ0NzR0FRVUZCd0VEQkZVd1V6QlJCZ1lFQUk1R0FRVXdSekJGRmo5b2RIUndjem92TDNOckxtVmxMMlZ1TDNKbGNHOXphWFJ2Y25rdlkyOXVaR2wwYVc5dWN5MW1iM0l0ZFhObExXOW1MV05sY25ScFptbGpZWFJsY3k4VEFrVk9NQ0FHQTFVZEpRRUIvd1FXTUJRR0NDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJEQWZCZ05WSFNNRUdEQVdnQlRBaEprcHhFNmZPd0kwOXBuaENsWUFDQ2srZXpCekJnZ3JCZ0VGQlFjQkFRUm5NR1V3TEFZSUt3WUJCUVVITUFHR0lHaDBkSEE2THk5aGFXRXVaR1Z0Ynk1emF5NWxaUzlsYzNSbGFXUXlNREU0TURVR0NDc0dBUVVGQnpBQ2hpbG9kSFJ3T2k4dll5NXpheTVsWlM5VVpYTjBYMjltWDBWVFZFVkpSREl3TVRndVpHVnlMbU55ZERBS0JnZ3Foa2pPUFFRREJBT0Jpd0F3Z1ljQ1FnSDFVc21NZHRMWnRpNTFGcTJRUjR3VWtBd3BzbmhzQlYySFFxVVhGWUJKN0VYbkxDa2FYamRaS2tIcEFCZk0wUUV4N1VVaGFJNGk1M2ppSjdFMVk3V09BQUpCRFg0ejYxcG5pSEphcEkxYmtNSWlKUS90aTdoYThmZEpTTVNwQWRzNUN5SEl5SGtReldsVnk4NmY5bUE3RXUzb1JPLzFxK2VGVXpEYk5OM1Z2eTdnUVdRPSJdfQ.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiZXhwIjoiMTU4Njg3MTE2OSIsImlhdCI6IjE1ODY4NzA4NjkiLCJpc3MiOiJ3ZWItZWlkIGFwcCB2MC45LjAtMS1nZTZlODlmYSIsIm5vbmNlIjoiMTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2NzgiLCJzdWIiOiJKw5VFT1JHLEpBQUstS1JJU1RKQU4sMzgwMDEwODU3MTgifQ.0Y5CdMiSZ14rOnd7sbp-XeBQ7qrJVd21yTmAbiRnzAXtwqW8ZROg4jL4J7bpQ2fwyUz4-dVwLoVRVnxfJY82b8NXuxXrDb-8MXXmVYrMW0q0kPbEzqFbEnPYHjNnKAN0";
 
+        public const string MinimalFormat =
+            "eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFQXpDQ0EyV2dBd0lCQWdJUUhXYlZXeENrY1l4Ynp6OW5CekdyRHpBS0JnZ3Foa2pPUFFRREJEQmdNUXN3Q1FZRFZRUUdFd0pGUlRFYk1Ca0dBMVVFQ2d3U1Uwc2dTVVFnVTI5c2RYUnBiMjV6SUVGVE1SY3dGUVlEVlFSaERBNU9WRkpGUlMweE1EYzBOekF4TXpFYk1Ca0dBMVVFQXd3U1ZFVlRWQ0J2WmlCRlUxUkZTVVF5TURFNE1CNFhEVEU0TVRBeU16RTFNek0xT1ZvWERUSXpNVEF5TWpJeE5UazFPVm93ZnpFTE1Ba0dBMVVFQmhNQ1JVVXhLakFvQmdOVkJBTU1JVXJEbFVWUFVrY3NTa0ZCU3kxTFVrbFRWRXBCVGl3ek9EQXdNVEE0TlRjeE9ERVFNQTRHQTFVRUJBd0hTc09WUlU5U1J6RVdNQlFHQTFVRUtnd05Ta0ZCU3kxTFVrbFRWRXBCVGpFYU1CZ0dBMVVFQlJNUlVFNVBSVVV0TXpnd01ERXdPRFUzTVRnd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVEvdSs5SW5jYXJWcGdyQUNONmFSZ1VpVDlsV0M5SDdsbG54b0VYZTh4b0NJOTgyTWQ4WXVKc1ZmUmRlRzVqd1ZmWGUwTjZLa0hMRlJBUnNwc3Q4cW5BQ1VMa3FGTmF0L0tqK1hSd0oyVUFOZUozR2w1WEJyK3RuTE51RGYvVWlSNmpnZ0hETUlJQnZ6QUpCZ05WSFJNRUFqQUFNQTRHQTFVZER3RUIvd1FFQXdJRGlEQkhCZ05WSFNBRVFEQStNRElHQ3lzR0FRUUJnNUVoQVFJQk1DTXdJUVlJS3dZQkJRVUhBZ0VXRldoMGRIQnpPaTh2ZDNkM0xuTnJMbVZsTDBOUVV6QUlCZ1lFQUk5NkFRSXdId1lEVlIwUkJCZ3dGb0VVTXpnd01ERXdPRFUzTVRoQVpXVnpkR2t1WldVd0hRWURWUjBPQkJZRUZPVGRkSG5BOXJKdGJMd2hCTnluMHhaVFFHQ01NR0VHQ0NzR0FRVUZCd0VEQkZVd1V6QlJCZ1lFQUk1R0FRVXdSekJGRmo5b2RIUndjem92TDNOckxtVmxMMlZ1TDNKbGNHOXphWFJ2Y25rdlkyOXVaR2wwYVc5dWN5MW1iM0l0ZFhObExXOW1MV05sY25ScFptbGpZWFJsY3k4VEFrVk9NQ0FHQTFVZEpRRUIvd1FXTUJRR0NDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJEQWZCZ05WSFNNRUdEQVdnQlRBaEprcHhFNmZPd0kwOXBuaENsWUFDQ2srZXpCekJnZ3JCZ0VGQlFjQkFRUm5NR1V3TEFZSUt3WUJCUVVITUFHR0lHaDBkSEE2THk5aGFXRXVaR1Z0Ynk1emF5NWxaUzlsYzNSbGFXUXlNREU0TURVR0NDc0dBUVVGQnpBQ2hpbG9kSFJ3T2k4dll5NXpheTVsWlM5VVpYTjBYMjltWDBWVFZFVkpSREl3TVRndVpHVnlMbU55ZERBS0JnZ3Foa2pPUFFRREJBT0Jpd0F3Z1ljQ1FnSFlFbGtYNHZuODIxSlI0MWFrSS9scGV4Q25KRlVmNEdpT01iVGZ6QXhwWm1hMzMzUjhMTnJtSTR6YnpEcDAzaHZNVHpINDlnMWpjYkduYUNjYmJvUzhEQUpCT2JlblVwKytMNVZxbGRId0tBcHM2MW5NNFYrVGlMcUQwaklMblR6bCtwVitMZXhOTDN1R3pVZnZ2RE5MSG5GOXQ2eWdpOCtCc2pzdTNpSEh5TTFoYUtNPSJdfQ.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiaXNzIjoid2ViLWVpZCBhcHAgMS4wLjIrMCIsIm5vbmNlIjoiMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTEifQ.bICTrRYMbuHLb59ch6dVJIMB1c3046CX-G9Tb3G_d9dA9gOup4Z-n_GAaVas9MAoj7P6NM0Usal_JW3_PFGfRYF0Ji79a_vhAUCsLkqp6JhnSlnv4MJvN5cYef24s4aP";
+
         public const string Corrupted =
             "e1yJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFQXpDQ0EyV2dBd0lCQWdJUU9Xa0JXWE5ESm0xYnlGZDNYc1drdmpBS0JnZ3Foa2pPUFFRREJEQmdNUXN3Q1FZRFZRUUdFd0pGUlRFYk1Ca0dBMVVFQ2d3U1Uwc2dTVVFnVTI5c2RYUnBiMjV6SUVGVE1SY3dGUVlEVlFSaERBNU9WRkpGUlMweE1EYzBOekF4TXpFYk1Ca0dBMVVFQXd3U1ZFVlRWQ0J2WmlCRlUxUkZTVVF5TURFNE1CNFhEVEU0TVRBeE9EQTVOVEEwTjFvWERUSXpNVEF4TnpJeE5UazFPVm93ZnpFTE1Ba0dBMVVFQmhNQ1JVVXhLakFvQmdOVkJBTU1JVXJEbFVWUFVrY3NTa0ZCU3kxTFVrbFRWRXBCVGl3ek9EQXdNVEE0TlRjeE9ERVFNQTRHQTFVRUJBd0hTc09WUlU5U1J6RVdNQlFHQTFVRUtnd05Ta0ZCU3kxTFVrbFRWRXBCVGpFYU1CZ0dBMVVFQlJNUlVFNVBSVVV0TXpnd01ERXdPRFUzTVRnd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVI1azFsWHp2U2VJOU8vMXMxcFp2amhFVzhuSXRKb0cwRUJGeG1MRVk2UzdraTF2RjJRM1RFRHg2ZE56dEkxWHR4OTZjczhyNHpZVHdkaVFvRGc3azNkaVV1UjluVFdHeFFFTU8xRkRvNFk5ZkFtaVBHV1QrK0d1T1ZvWlFZM1h4aWpnZ0hETUlJQnZ6QUpCZ05WSFJNRUFqQUFNQTRHQTFVZER3RUIvd1FFQXdJRGlEQkhCZ05WSFNBRVFEQStNRElHQ3lzR0FRUUJnNUVoQVFJQk1DTXdJUVlJS3dZQkJRVUhBZ0VXRldoMGRIQnpPaTh2ZDNkM0xuTnJMbVZsTDBOUVV6QUlCZ1lFQUk5NkFRSXdId1lEVlIwUkJCZ3dGb0VVTXpnd01ERXdPRFUzTVRoQVpXVnpkR2t1WldVd0hRWURWUjBPQkJZRUZPUXN2VFFKRUJWTU1TbWh5Wlg1YmliWUp1YkFNR0VHQ0NzR0FRVUZCd0VEQkZVd1V6QlJCZ1lFQUk1R0FRVXdSekJGRmo5b2RIUndjem92TDNOckxtVmxMMlZ1TDNKbGNHOXphWFJ2Y25rdlkyOXVaR2wwYVc5dWN5MW1iM0l0ZFhObExXOW1MV05sY25ScFptbGpZWFJsY3k4VEFrVk9NQ0FHQTFVZEpRRUIvd1FXTUJRR0NDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJEQWZCZ05WSFNNRUdEQVdnQlRBaEprcHhFNmZPd0kwOXBuaENsWUFDQ2srZXpCekJnZ3JCZ0VGQlFjQkFRUm5NR1V3TEFZSUt3WUJCUVVITUFHR0lHaDBkSEE2THk5aGFXRXVaR1Z0Ynk1emF5NWxaUzlsYzNSbGFXUXlNREU0TURVR0NDc0dBUVVGQnpBQ2hpbG9kSFJ3T2k4dll5NXpheTVsWlM5VVpYTjBYMjltWDBWVFZFVkpSREl3TVRndVpHVnlMbU55ZERBS0JnZ3Foa2pPUFFRREJBT0Jpd0F3Z1ljQ1FnSDFVc21NZHRMWnRpNTFGcTJRUjR3VWtBd3BzbmhzQlYySFFxVVhGWUJKN0VYbkxDa2FYamRaS2tIcEFCZk0wUUV4N1VVaGFJNGk1M2ppSjdFMVk3V09BQUpCRFg0ejYxcG5pSEphcEkxYmtNSWlKUS90aTdoYThmZEpTTVNwQWRzNUN5SEl5SGtReldsVnk4NmY5bUE3RXUzb1JPLzFxK2VGVXpEYk5OM1Z2eTdnUVdRPSJdfQ.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiZXhwIjoiMTU4Njg3MTE2OSIsImlhdCI6IjE1ODY4NzA4NjkiLCJpc3MiOiJ3ZWItZWlkIGFwcCB2MC45LjAtMS1nZTZlODlmYSIsIm5vbmNlIjoiMTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2NzgiLCJzdWIiOiJKw5VFT1JHLEpBQUstS1JJU1RKQU4sMzgwMDEwODU3MTgif1Q.0Y5CdMiSZ14rOnd7sbp-XeBQ7qrJVd21yTmAbiRnzAXtwqW8ZROg4jL4J7bpQ2fwyUz4-dVwLoVRVnxfJY82b8NXuxXrDb-8MXXmVYrMW0q0kPbEzqFbEnPYHjNnKAN0";
 

src/WebEid.Security.Tests/Validator/AuthTokenParserTests.cs

@@ -1,6 +1,5 @@
 namespace WebEid.Security.Tests.Validator
 {
-    using System;
     using Exceptions;
     using NUnit.Framework;
     using Security.Validator;
@@ -9,12 +8,10 @@ namespace WebEid.Security.Tests.Validator
     [TestFixture]
     public class AuthTokenParserTests
     {
-        private readonly TimeSpan allowedClockSkew = TimeSpan.FromMinutes(3);
-
         [Test]
         public void PopulateDataFromClaimsFillsCorrectDataAndValidationDoesNotFailFromValidToken()
         {
-            var parser = new AuthTokenParser(Tokens.SignedTest, this.allowedClockSkew, null);
+            var parser = new AuthTokenParser(Tokens.SignedTest, null);
             var data = parser.ParseHeaderFromTokenString();
             parser.ParseClaims();
             parser.PopulateDataFromClaims(data);
@@ -32,43 +29,43 @@ public void PopulateDataFromClaimsFillsCorrectDataAndValidationDoesNotFailFromVa
         [Test]
         public void ParseHeaderFromTokenStringWithMissingX5CFieldThrowsTokenParseException()
         {
-            var parser = new AuthTokenParser(Tokens.X5CMissing, this.allowedClockSkew, null);
+            var parser = new AuthTokenParser(Tokens.X5CMissing, null);
             Assert.Throws<TokenParseException>(() => parser.ParseHeaderFromTokenString());
         }
 
         [Test]
         public void ParseHeaderFromTokenStringWithIncorrectX5CValueThrowsTokenParseException()
         {
-            var parser = new AuthTokenParser(Tokens.X5CNotString, this.allowedClockSkew, null);
+            var parser = new AuthTokenParser(Tokens.X5CNotString, null);
             Assert.Throws<TokenParseException>(() => parser.ParseHeaderFromTokenString());
         }
 
         [Test]
         public void ParseHeaderFromTokenStringWithIncorrectX5CListValueThrowsTokenParseException()
         {
-            var parser = new AuthTokenParser(Tokens.X5CNotArray, this.allowedClockSkew, null);
+            var parser = new AuthTokenParser(Tokens.X5CNotArray, null);
             Assert.Throws<TokenParseException>(() => parser.ParseHeaderFromTokenString());
         }
 
         [Test]
         public void ParseHeaderFromTokenStringWithX5CEmptyValueThrowsTokenParseException()
         {
-            var parser = new AuthTokenParser(Tokens.X5CEmpty, this.allowedClockSkew, null);
+            var parser = new AuthTokenParser(Tokens.X5CEmpty, null);
             Assert.Throws<TokenParseException>(() => parser.ParseHeaderFromTokenString());
         }
 
         [Test]
-        public void ValidateRsaTokenSignatureThrowsTokenExpiredException()
+        public void JwtWithoutDateFieldsDoesNotThrow()
         {
-            var parser = new AuthTokenParser(Tokens.TokenCertRsa, this.allowedClockSkew, null);
+            var parser = new AuthTokenParser(Tokens.MinimalFormat, null);
             var validatorData = parser.ParseHeaderFromTokenString();
-            Assert.Throws<TokenExpiredException>(() => parser.ValidateTokenSignature(validatorData.SubjectCertificate));
+            Assert.DoesNotThrow(() => parser.ValidateTokenSignature(validatorData.SubjectCertificate));
         }
 
         [Test]
         public void ParseHeaderFromTokenStringWithInvalidX5CCertificateThrowsTokenParseException()
         {
-            var parser = new AuthTokenParser(Tokens.X5CInvalidCertificate, this.allowedClockSkew, null);
+            var parser = new AuthTokenParser(Tokens.X5CInvalidCertificate, null);
             Assert.Throws<TokenParseException>(() => parser.ParseHeaderFromTokenString());
         }
     }

src/WebEid.Security.Tests/Validator/AuthTokenValidationConfigurationTests.cs

@@ -78,23 +78,6 @@ public void AuthTokenValidationConfigurationWithZeroOcspRequestTimeoutThrowsArgu
             }
         }
 
-        [Test]
-        public void AuthTokenValidationConfigurationWithZeroAllowedClientClockSkewThrowsArgumentOutOfRangeException()
-        {
-            using (var cache = new MemoryCache<DateTime>())
-            {
-                var configuration = new AuthTokenValidationConfiguration
-                {
-                    SiteOrigin = new Uri("https://valid", UriKind.RelativeOrAbsolute),
-                    NonceCache = cache
-                };
-                configuration.TrustedCaCertificates.Add(new X509Certificate2());
-                configuration.AllowedClientClockSkew = TimeSpan.Zero;
-                Assert.Throws<ArgumentOutOfRangeException>(() => configuration.Validate())
-                    .WithMessage("Allowed client clock skew must be greater than zero (Parameter 'duration')");
-            }
-        }
-
         [Test]
         public void AuthTokenValidationConfigurationWithCorrectDataDoesNotThrowException()
         {
@@ -122,7 +105,6 @@ public void AuthTokenValidationConfigurationCopyCopesAllData()
                     NonceCache = cache
                 };
                 configuration.OcspRequestTimeout = TimeSpan.FromMinutes(1);
-                configuration.AllowedClientClockSkew = TimeSpan.FromMinutes(1);
                 configuration.SiteCertificateSha256Fingerprint = "fingerprint";
                 configuration.TrustedCaCertificates.Add(new X509Certificate2(Certificates.GetTestEsteid2015Ca()));
                 configuration.TrustedCaCertificates.Add(new X509Certificate2(Certificates.GetTestEsteid2018Ca()));

src/WebEid.Security.Tests/Validator/AuthTokenValidatorClockSkewTests.cs

@@ -20,20 +20,17 @@ namespace WebEid.Security.Validator
     public class AuthTokenParser
     {
         private readonly string authToken;
-        private readonly TimeSpan allowedClockSkew;
         private readonly ILogger logger;
         private IEnumerable<Claim> claims;
 
         /// <summary>
         /// Creates an instance of AuthTokenParser
         /// </summary>
         /// <param name="authToken">the Web eID authentication token with signature</param>
-        /// <param name="allowedClockSkew">the tolerated client computer clock skew when verifying the token <code>exp</code>field</param>
         /// <param name="logger">logger instance</param>
-        public AuthTokenParser(string authToken, TimeSpan allowedClockSkew, ILogger logger)
+        public AuthTokenParser(string authToken, ILogger logger)
         {
             this.authToken = authToken;
-            this.allowedClockSkew = allowedClockSkew;
             this.logger = logger;
         }
 
@@ -81,7 +78,7 @@ internal AuthTokenValidatorData ParseHeaderFromTokenString()
 
         internal void ValidateTokenSignature(X509Certificate certificate)
         {
-            ValidateTokenSignature(this.authToken, certificate, this.allowedClockSkew);
+            ValidateTokenSignature(this.authToken, certificate);
         }
 
         /// <summary>
@@ -91,8 +88,7 @@ internal void ValidateTokenSignature(X509Certificate certificate)
         /// <param name="certificate">User certificate from x5c field of JWT token</param>
         /// <param name="allowedClockSkew"></param>
         private static void ValidateTokenSignature(string authToken,
-            X509Certificate certificate,
-            TimeSpan allowedClockSkew)
+            X509Certificate certificate)
         {
             try
             {
@@ -102,18 +98,7 @@ private static void ValidateTokenSignature(string authToken,
                 // Validate only issuer signing key
                 var validationParameters = new TokenValidationParameters()
                 {
-                    ClockSkew = allowedClockSkew,
-                    ValidateLifetime = true,
-                    LifetimeValidator = (notBefore, expires, securityToken, tokenValidationParameters) =>
-                    {
-                        var clonedParameters = tokenValidationParameters.Clone();
-                        clonedParameters.LifetimeValidator = null;
-                        Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime(notBefore,
-                            expires,
-                            securityToken,
-                            clonedParameters);
-                        return true;
-                    },
+                    ValidateLifetime = false,
                     ValidateAudience = false,
                     ValidateActor = false,
                     ValidateTokenReplay = false,

src/WebEid.Security/Validator/AuthTokenParser.cs

@@ -24,7 +24,6 @@ private AuthTokenValidationConfiguration(AuthTokenValidationConfiguration other)
             this.TrustedCaCertificates = new List<X509Certificate2>(other.TrustedCaCertificates);
             this.IsUserCertificateRevocationCheckWithOcspEnabled = other.IsUserCertificateRevocationCheckWithOcspEnabled;
             this.OcspRequestTimeout = other.OcspRequestTimeout;
-            this.AllowedClientClockSkew = other.AllowedClientClockSkew;
             this.DesignatedOcspServiceConfiguration = other.DesignatedOcspServiceConfiguration;
             this.IsSiteCertificateFingerprintValidationEnabled = other.IsSiteCertificateFingerprintValidationEnabled;
             this.SiteCertificateSha256Fingerprint = other.SiteCertificateSha256Fingerprint;
@@ -42,8 +41,6 @@ private AuthTokenValidationConfiguration(AuthTokenValidationConfiguration other)
 
         public TimeSpan OcspRequestTimeout { get; set; } = TimeSpan.FromSeconds(5);
 
-        public TimeSpan AllowedClientClockSkew { get; set; } = TimeSpan.FromMinutes(3);
-
         public bool IsSiteCertificateFingerprintValidationEnabled { get; private set; }
 
         public DesignatedOcspServiceConfiguration DesignatedOcspServiceConfiguration { get; internal set; }
@@ -88,7 +85,6 @@ public void Validate()
             }
 
             RequirePositiveDuration(this.OcspRequestTimeout, "OCSP request timeout");
-            RequirePositiveDuration(this.AllowedClientClockSkew, "Allowed client clock skew");
             if (this.IsSiteCertificateFingerprintValidationEnabled && this.siteCertificateSha256Fingerprint == null)
             {
                 throw new ArgumentException("Certificate fingerprint must not be null when site certificate fingerprint validation is enabled");
@@ -124,7 +120,6 @@ public bool Equals(AuthTokenValidationConfiguration other)
                    this.IsUserCertificateRevocationCheckWithOcspEnabled.Equals(other
                        .IsUserCertificateRevocationCheckWithOcspEnabled) &&
                    this.OcspRequestTimeout.Equals(other.OcspRequestTimeout) &&
-                   this.AllowedClientClockSkew.Equals(other.AllowedClientClockSkew) &&
                    this.IsSiteCertificateFingerprintValidationEnabled.Equals(other
                        .IsSiteCertificateFingerprintValidationEnabled) &&
                    Enumerable.SequenceEqual(this.DisallowedSubjectCertificatePolicies,

src/WebEid.Security/Validator/AuthTokenValidationConfiguration.cs

@@ -73,7 +73,7 @@ public async Task<X509Certificate> Validate(string authToken)
             try
             {
                 this.logger?.LogInformation("Starting token parsing and validation");
-                var authTokenParser = new AuthTokenParser(authToken, this.configuration.AllowedClientClockSkew, this.logger);
+                var authTokenParser = new AuthTokenParser(authToken, this.logger);
                 var actualTokenData = authTokenParser.ParseHeaderFromTokenString();
 
                 await this.simpleSubjectCertificateValidators.ExecuteFor(actualTokenData);