From 72696ccaea80d44bd4878ab18d341bad3be1913a Mon Sep 17 00:00:00 2001 From: Jos Groot Lipman Date: Wed, 7 Sep 2016 15:23:50 +0000 Subject: [PATCH] FSN#37583 Authenticatie via JWT svn path=/Website/trunk/; revision=30622 --- APPL/Shared/Login.inc | 39 ++++++++++++++++++++------------------- APPL/Shared/loginTry.asp | 6 +++--- 2 files changed, 23 insertions(+), 22 deletions(-) diff --git a/APPL/Shared/Login.inc b/APPL/Shared/Login.inc index 8ec8f38569..827869dc9e 100644 --- a/APPL/Shared/Login.inc +++ b/APPL/Shared/Login.inc @@ -918,23 +918,13 @@ function jwt_decode(token) return { err: "Invalid JSON: " + e.description }; } - var now = new Date().getTime() / 1000; - - // Support for nbf and exp claims. - // According to the RFC, they should be in seconds. - if (result.payload.nbf && now < result.payload.nbf) { - return { err: 'Token not yet active' }; - } - - if (result.payload.exp && now > result.payload.exp) { - return { err: 'Token expired' }; - } - return result; }; -function jwt_verify(decoded_jwt, secret, skew) +function jwt_verify(decoded_jwt, secret, skew, duration) { + skew = skew || 0; + duration = duration || 0; if (decoded_jwt.header.alg != "HS256") return { err: "Only HS256 is supported" }; @@ -945,14 +935,25 @@ function jwt_verify(decoded_jwt, secret, skew) var now = new Date().getTime() / 1000; if (claim.payload.iat) { - var from = now - skew; - var to = now + skew; - if (claim.payload.iat < from) { - __DoLog("Token expired. Now is {0}, got {1}".format(toDateTimeString(new Date(now * 1000), true), toDateTimeString(new Date(claim.payload.iat * 1000), true))); + // Support for nbf and exp claims. + // According to the RFC, they should be in seconds. + if (claim.payload.nbf && now + skew < claim.payload.nbf ) { + return { err: 'Token not yet active' }; + } + + if (claim.payload.exp && now > claim.payload.exp + skew) { + return { err: 'Token expired' }; + } + + // Onze eigen duration/expiration controleren we ook nog + if (claim.payload.iat + duration < now - skew) { + __DoLog("Token expired. Now is {0}, got {1}".format(toDateTimeString(new Date(now * 1000), true), + toDateTimeString(new Date(claim.payload.iat * 1000), true))); return { err: 'Token expired' }; } - if (claim.payload.iat > to) { - __DoLog("Token not yet active. Now is {0}, got {1}".format(toDateTimeString(new Date(now * 1000), true), toDateTimeString(new Date(claim.payload.iat * 1000), true))); + if (claim.payload.iat > now + skew) { + __DoLog("Token not yet active. Now is {0}, got {1}".format(toDateTimeString(new Date(now * 1000), true), + toDateTimeString(new Date(claim.payload.iat * 1000), true))); return { err: 'Token not yet active' }; } } diff --git a/APPL/Shared/loginTry.asp b/APPL/Shared/loginTry.asp index fed35f01d7..27b2f262ed 100644 --- a/APPL/Shared/loginTry.asp +++ b/APPL/Shared/loginTry.asp @@ -128,7 +128,7 @@ if (user_key < 0 && jwt) if (oRs.Eof) shared.internal_error("Unknown JWT issuer: " + claim.payload.iss); - var verify = jwt_verify(claim, oRs("fac_idp_secret").Value, oRs("fac_idp_clockskew").Value); + var verify = jwt_verify(claim, oRs("fac_idp_secret").Value, oRs("fac_idp_clockskew").Value, oRs("fac_idp_duration").Value); if (verify.err) shared.internal_error("Invalid JWT: " + verify.err); @@ -239,7 +239,7 @@ if (user_key < 0 && getQParam("sso", "")) } if (!ip_ok) - shared.internal_error("IP {0} not allowed".format(ip)); // TODO of 400 code forbidden? + shared.internal_error("IP {0} not allowed for this IDP".format(ip)); // TODO of 400 code forbidden? if (oRs("fac_idp_type").Value == 3) // die doet het verder zelf { @@ -259,8 +259,8 @@ if (user_key < 0 && getQParam("sso", "")) var oCrypto = new ActiveXObject("SLNKDWF.Crypto"); // requires version 4.14 var sig = oCrypto.hex_hmac_sha256(oRs("fac_idp_secret").Value, return_to); url += "&redirect_uri={0}&return_to={1}".format(safe.url(redirect_uri), safe.url(return_to)); - Response.Redirect(url); // die stuurt ons wel terug oRs.Close(); + Response.Redirect(url); // die stuurt ons wel terug Response.End; }