fix(fapi): validate ID Token's iat regardless of which channel it cam…

…e from
panva · Apr 30, 2021 · b68b9ab · b68b9ab
1 parent 0d684f4
commit b68b9ab
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 12 deletions.
diff --git a/lib/client.js b/lib/client.js
@@ -724,6 +724,8 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
       });
     }
 
+    const fapi = this.constructor.name === 'FAPIClient';
+
     if (returnedBy === 'authorization') {
       if (!payload.at_hash && tokenSet.access_token) {
         throw new RPError({
@@ -739,19 +741,7 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
         });
       }
 
-      const fapi = this.constructor.name === 'FAPIClient';
-
       if (fapi) {
-        if (payload.iat < timestamp - 3600) {
-          throw new RPError({
-            printf: ['JWT issued too far in the past, now %i, iat %i', timestamp, payload.iat],
-            now: timestamp,
-            tolerance: this[CLOCK_TOLERANCE],
-            iat: payload.iat,
-            jwt: idToken,
-          });
-        }
-
         if (!payload.s_hash && (tokenSet.state || state)) {
           throw new RPError({
             message: 'missing required property s_hash',
@@ -773,6 +763,16 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
       }
     }
 
+    if (fapi && payload.iat < timestamp - 3600) {
+      throw new RPError({
+        printf: ['JWT issued too far in the past, now %i, iat %i', timestamp, payload.iat],
+        now: timestamp,
+        tolerance: this[CLOCK_TOLERANCE],
+        iat: payload.iat,
+        jwt: idToken,
+      });
+    }
+
     if (tokenSet.access_token && payload.at_hash !== undefined) {
       try {
         tokenHash.validate({ claim: 'at_hash', source: 'access_token' }, payload.at_hash, tokenSet.access_token, header.alg, key && key.crv);

diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js
@@ -2644,9 +2644,11 @@ describe('Client', () => {
     it('FAPIClient checks iat is fresh', function () {
       const code = 'jHkWEdUXMU1BwAsC4vtUsZwnNvTIxEl0z9K3vx5KF0Y'; // eslint-disable-line camelcase, max-len
       const c_hash = '77QmUPtjPfzWtF2AnpK9RQ'; // eslint-disable-line camelcase
+      const s_hash = 'LCa0a2j_xo_5m0U8HTBBNA'; // eslint-disable-line camelcase
 
       return this.IdToken(this.keystore.get(), 'RS256', {
         c_hash,
+        s_hash,
         iss: this.issuer.issuer,
         sub: 'userId',
         aud: this.fapiClient.client_id,