Skip to content

JwtTimestampsValidator can require exp and nbf claims #17030

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

JwtTimestampsValidator can require exp and nbf claims #17030

wants to merge 2 commits into from

Conversation

FerencKemeny
Copy link

@FerencKemeny FerencKemeny commented May 2, 2025
edited
Loading

I implemented required parameter in JwtTimestampValidator, JwtIssuerValidator and JwtAudienceValidator. I left the function of the original constructors untouched. In the original implementation successful validation was returned even if timestamps, issues or audience claims were missing. So this way previous API, implementations are not breaking. With my changes it is possible now to specify more strict specification, to tell if the given claim is mandatory to present and indiate it with failed validation if the claim is missing.

This is the feature indicated in #17004

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 2, 2025
jzheaux
jzheaux requested changes May 7, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @FerencKemeny! I've leave my feedback inline.

.../oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtAudienceValidator.java Outdated
}

@Override
public OAuth2TokenValidatorResult validate(Jwt token) {
Assert.notNull(token, "token cannot be null");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the intent is to say the parameter name, not the datatype. Will you please leave this as-is?

@jzheaux jzheaux self-assigned this May 7, 2025
@jzheaux jzheaux mentioned this pull request May 7, 2025
Closed
@jzheaux jzheaux added this to the 7.0.x milestone May 7, 2025
@jzheaux jzheaux added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels May 7, 2025
@jzheaux jzheaux changed the title optional and mandatory claims check JwtTimestampsValidator can require exp and nbf claims May 7, 2025
@FerencKemeny FerencKemeny force-pushed the feature/optional-and-mandatory-claims-check branch from 9a92ff2 to 291c6e7 Compare May 8, 2025 20:43
@FerencKemeny FerencKemeny requested a review from jzheaux May 8, 2025 20:47
@FerencKemeny @jzheaux
Polish JwtTimestampValidatorTests
5821cff 
This commit corrects the test that checks for both
nbf and exp missing. It also adds one for just exp
and on for just nbf.

Issue spring-projectsgh-17004

Signed-off-by: Ferenc Kemeny <ferenc.kemeny79+oss@gmail.com>
@FerencKemeny @jzheaux
Support Requiring exp and nbf in JwtTimestampsValidator
36513ff 
Closes spring-projectsgh-17004

Signed-off-by: Ferenc Kemeny <ferenc.kemeny79+oss@gmail.com>
@jzheaux jzheaux force-pushed the feature/optional-and-mandatory-claims-check branch from 291c6e7 to 36513ff Compare May 9, 2025 18:23
jzheaux
jzheaux approved these changes May 9, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @FerencKemeny, for the PR! We'll merge this shortly after we've wrapped up the 6.5 release.

@FerencKemeny
Copy link
Author

Thank you, @jzheaux, for all of your help on the PR. Appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux approved these changes

Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
7.0.x
Development

Successfully merging this pull request may close these issues.
3 participants
@FerencKemeny @jzheaux @spring-projects-issues