Hi all,
We have encountered a situation in the wild which I would like to share and
discuss with you.
We have strict validation of the iat claim as per section 4.3 in the
specification where we allow a reasonable skew.
The problem we see is that some users (more than a few) have changed the
clock on their mobile device. This is commonly done for users playing games
where changing the clock gives them more credit in the game. This means
that the drift is more than reasonable as per the specification. It can be
hours to days.
The solution is to use the newer "nonce" parameter (which wasn't in the
early drafts) to be able to manage the TTL server side, since the server
controls the nonce and can therefore control the TTL of any proof received.
However, the wording in section 4.3 states that:
the iat claim value is within an acceptable timeframe and,
within a reasonable consideration of accuracy and resource
utilization, a proof JWT with the same jti value has not
previously been received at the same resource during that time
period (see Section 11.1
<https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-07#section-11.1>),
And in section 11.1 this limits it to seconds or minutes.
So, even though using nonces could solve clock sync issues, it's not
possible due to the strictness of the iat claim verification.
Could we relax the wording of the iat claim verification to let the nonce
be the main solution in some cases:
Suggestion:
the iat claim value is within an acceptable timeframe and,
within a reasonable consideration of accuracy and resource
utilization, a proof JWT with the same jti value has not
previously been received at the same resource during that time
period (see Section 11.1), *unless the clock syncronization can be
made to depend on the issuance of the nonce values.*
Regards
Jacob
--
Jacob Ideskog
CTO
Curity AB
-------------------------------------------------------------------
Sankt Göransgatan 66, Stockholm, Sweden
M: +46 70-2233664
j <[email protected]>[email protected]
curity.io
-------------------------------------------------------------------
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
