FSN#37583 Authenticatie via JWT

svn path=/Website/trunk/; revision=30622

APPL/Shared/Login.inc

@@ -918,23 +918,13 @@ function jwt_decode(token)
     return { err: "Invalid JSON: " + e.description };
   }
 
-  var now = new Date().getTime() / 1000;
-
-  // Support for nbf and exp claims.
-  // According to the RFC, they should be in seconds.
-  if (result.payload.nbf && now < result.payload.nbf) {
-    return { err:  'Token not yet active' };
-  }
-
-  if (result.payload.exp && now > result.payload.exp) {
-    return { err:  'Token expired' };
-  }
-
   return result;
 };
 
-function jwt_verify(decoded_jwt, secret, skew)
+function jwt_verify(decoded_jwt, secret, skew, duration)
 {
+  skew = skew || 0;
+  duration = duration || 0;
   if (decoded_jwt.header.alg != "HS256")
     return { err:  "Only HS256 is supported" };
 
@@ -945,14 +935,25 @@ function jwt_verify(decoded_jwt, secret, skew)
   var now = new Date().getTime() / 1000;
   if (claim.payload.iat)
   {
-    var from = now - skew;
+    // Support for nbf and exp claims.
-    var to = now + skew;
+    // According to the RFC, they should be in seconds.
-    if (claim.payload.iat < from) {
+    if (claim.payload.nbf && now + skew < claim.payload.nbf ) {
-        __DoLog("Token expired. Now is {0}, got {1}".format(toDateTimeString(new Date(now * 1000), true), toDateTimeString(new Date(claim.payload.iat * 1000), true)));
+      return { err:  'Token not yet active' };
+    }
+
+    if (claim.payload.exp && now > claim.payload.exp + skew) {
       return { err:  'Token expired' };
     }
-    if (claim.payload.iat > to) {
+
-        __DoLog("Token not yet active. Now is {0}, got {1}".format(toDateTimeString(new Date(now * 1000), true), toDateTimeString(new Date(claim.payload.iat * 1000), true)));
+    // Onze eigen duration/expiration controleren we ook nog
+    if (claim.payload.iat + duration < now - skew) {
+        __DoLog("Token expired. Now is {0}, got {1}".format(toDateTimeString(new Date(now * 1000), true),
+                                                            toDateTimeString(new Date(claim.payload.iat * 1000), true)));
+        return { err:  'Token expired' };
+    }
+    if (claim.payload.iat > now + skew) {
+        __DoLog("Token not yet active. Now is {0}, got {1}".format(toDateTimeString(new Date(now * 1000), true),
+                                                                   toDateTimeString(new Date(claim.payload.iat * 1000), true)));
         return { err:  'Token not yet active' };
     }
   }

APPL/Shared/loginTry.asp

@@ -128,7 +128,7 @@ if (user_key < 0 && jwt)
     if (oRs.Eof)
         shared.internal_error("Unknown JWT issuer: " + claim.payload.iss);
 
-    var verify = jwt_verify(claim, oRs("fac_idp_secret").Value, oRs("fac_idp_clockskew").Value);
+    var verify = jwt_verify(claim, oRs("fac_idp_secret").Value, oRs("fac_idp_clockskew").Value, oRs("fac_idp_duration").Value);
     if (verify.err)
         shared.internal_error("Invalid JWT: " + verify.err);
 
@@ -239,7 +239,7 @@ if (user_key < 0 && getQParam("sso", ""))
     }
 
     if (!ip_ok)
-        shared.internal_error("IP {0} not allowed".format(ip)); // TODO of 400 code forbidden?
+        shared.internal_error("IP {0} not allowed for this IDP".format(ip)); // TODO of 400 code forbidden?
 
     if (oRs("fac_idp_type").Value == 3) // die doet het verder zelf
     {
@@ -259,8 +259,8 @@ if (user_key < 0 && getQParam("sso", ""))
     var oCrypto = new ActiveXObject("SLNKDWF.Crypto"); // requires version 4.14
     var sig = oCrypto.hex_hmac_sha256(oRs("fac_idp_secret").Value, return_to);
     url += "&redirect_uri={0}&return_to={1}".format(safe.url(redirect_uri), safe.url(return_to));
-    Response.Redirect(url); // die stuurt ons wel terug
     oRs.Close();
+    Response.Redirect(url); // die stuurt ons wel terug
     Response.End;
 }