Skip to content

Custom time skew for IdToken validation #1124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Custom time skew for IdToken validation #1124

wants to merge 2 commits into from

Conversation

sobrics
Copy link

@sobrics sobrics commented Apr 8, 2025

Checklist

  • I read the Contribution Guidelines
  • I signed the CLA and WG Agreements
  • I ran, updated and added unit tests as necessary.
  • I verified the contribution matches existing coding style.
  • I updated the documentation if necessary.

Motivation and Context

In MercadonaIT, we have found that the clock on some devices can exceed the default time skew value of 10 minutes.

As described in 3.1.3.7 Id Token Validation, Rule 10 indicates that the time skew range is client specific, but currently, the library does not provide options to modify it.

The goal of this change is to add the ability to disable or modify the allowed time skew for the issued at (iat) field of the ID Token.

Description

I followed a similar approach as #662 already did for skipping the issuer https check.

Key changes:

  • The option setAllowedTimeSkew() is added to modify the allowed time skew (default: 10 minutes).
  • The option setSkipTimeValidation() is added to completely disable time validation (recommended only for development environments).

Example usage:

Modify the allowed time skew:

AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder()
    .setAllowedTimeSkew(TWENTY_MINUTES_IN_SECONDS)
    .build();

Disable time validation (for development only):

AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder()
    .setSkipTimeValidation(true)
    .build();

sobrics added 2 commits April 8, 2025 12:31
@sobrics
Allow Disabling or Customizing ID Token Time Skew
7b1bc68 
Adds functionality to either disable ID token iat (issued at) claim validation or configure a custom allowed clock skew in seconds, instead of the default 10 minutes.
@sobrics
Restore README indentation and update documentation
3eca984
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sobrics