Skip to content

Actionable suggestion for ID token validation failures #449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Dec 28, 2021
Merged

Actionable suggestion for ID token validation failures #449

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
af30e44
Add actionable suggestion to resolve wrong time
rayluo Dec 27, 2021
bb236e4
Merge branch 'time-suggestion' into dev
rayluo Dec 28, 2021
ae9d9d8
Merge remote-tracking branch 'oauth2cli/dev' into time-suggestion
rayluo Dec 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions msal/oauth2cli/oidc.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,11 @@ def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None)
err = None # https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
_now = int(now or time.time())
skew = 120 # 2 minutes
TIME_SUGGESTION = "Make sure your computer's time is correctly synchronized."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we also need to mention time zone? The time on the right bottom corner may seem correct, but the time zone may be wrong.

image

Copy link
Collaborator Author

@rayluo rayluo Jan 18, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I'll change that line to "Make sure your computer's time and time zone are both correct".

if _now + skew < decoded.get("nbf", _now - 1): # nbf is optional per JWT specs
# This is not an ID token validation, but a JWT validation
# https://tools.ietf.org/html/rfc7519#section-4.1.5
err = "0. The ID token is not yet valid."
err = "0. The ID token is not yet valid. " + TIME_SUGGESTION
if issuer and issuer != decoded["iss"]:
# https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
err = ('2. The Issuer Identifier for the OpenID Provider, "%s", '
Expand All @@ -68,7 +69,7 @@ def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None)
# the TLS server validation MAY be used to validate the issuer
# in place of checking the token signature.
if _now - skew > decoded["exp"]:
err = "9. The current time MUST be before the time represented by the exp Claim."
err = "9. The ID token already expires. " + TIME_SUGGESTION
if nonce and nonce != decoded.get("nonce"):
err = ("11. Nonce must be the same value "
"as the one that was sent in the Authentication Request.")
Expand Down