Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth_jwt_require_claim vs auth_jwt_validate_exp #18

Open
col-panic opened this issue Dec 17, 2024 · 7 comments
Open

auth_jwt_require_claim vs auth_jwt_validate_exp #18

col-panic opened this issue Dec 17, 2024 · 7 comments

Comments

@col-panic
Copy link

Could it be, that if I configure the location like this

 auth_jwt_require_claim realm_access.roles intersect json=["medelexis-ee-report-viewer"];

it is not verified if the token is expired? I don't entirely understand the documentation

Do not process if verified by auth_jwt_require_claim directive

but in practice this seems to be the case?!

If yes, why? Could we better document this? Can I stil validate if the token is expired despite testing
for the claim?
@kjdev
Copy link
Owner

kjdev commented Dec 17, 2024

auth_jwt_require_claim validation is performed before auth_jwt_validate_exp validation of exp claim.

If auth_jwt_require_claim validates the exp claim, auth_jwt_validate_exp does not validate it.

@col-panic
Copy link
Author

In my opinion this is a high severity security flaw. Both auth_jwt_key_request and exp must always be valid.
According to https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4 a JWT after expiration of exp MUST NOT be accepted for processing.

  • What is the purpose of setting the option auth_jwt_validate_exp to false?
  • Just imagine the following example: We had a user A in 2023 and he once got a valid JWT, now he is able to access the service forever?

@col-panic
Copy link
Author

Same accounts for auth_jwt_validate_sig I always expect, that if i set a public key - it is necessary to be validated! I never explicitely tried, whether this assumption really holds!

In addition, a JWT without a signature should not be accepted at all! See e.g. https://blog.pentesteracademy.com/hacking-jwt-tokens-the-none-algorithm-67c14bb15771 the alg none attack!

@kjdev
Copy link
Owner

kjdev commented Dec 18, 2024

I understand the JWT specification.
Therefore, exp and sig validation is enabled by default.

However, it is up to the user how to use them, so they can be toggled (e.g. auth_jwt_leeway).

@kjdev
Copy link
Owner

kjdev commented Dec 18, 2024

For the same reason, I used to incorporate iss, sub, iat claim checks, but I have removed them now.
If necessary, you can use auth_jwt_require_claim to set up validation rules.

@col-panic
Copy link
Author

sorry, but I'm confused - we deviated from the original question?! Maybe I need to change it: How does auth_jwt_require_claim validate the exp claim?

@kjdev
Copy link
Owner

kjdev commented Dec 18, 2024

fyi: https://github.com/kjdev/nginx-auth-jwt/blob/main/t/auth_jwt_validation_claim_exp.t

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kjdev @col-panic