Merge pull request #1100 from Infosys/sachin-release

Merge from develop to 1.5.1-temp includes [ES-2047]
mosip · Jan 15, 2025 · f5e50f1 · f5e50f1
2 parents 17f27b7 + bb84c1d
commit f5e50f1
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 2 deletions.
diff --git a/esignet-service/src/main/resources/application-default.properties b/esignet-service/src/main/resources/application-default.properties
@@ -410,3 +410,8 @@ mosip.esignet.ui.config.key-values={'sbi.env': '${mosip.esignet.authenticator.id
 
 #mosip.esignet.integration.audit-plugin=LoggerAuditService
 #mosip.esignet.integration.key-binder=NoOpKeyBinder
+
+mosip.esignet.jwt.leeway-seconds=5
+
+## Validation schema files
+mosip.esignet.claims.schema.url=classpath:/verified_claims_request_schema.json
diff --git a/oidc-service-impl/src/main/java/io/mosip/esignet/services/TokenServiceImpl.java b/oidc-service-impl/src/main/java/io/mosip/esignet/services/TokenServiceImpl.java
@@ -76,6 +76,9 @@ public class TokenServiceImpl implements TokenService {
 
     @Value("#{${mosip.esignet.credential.scope-resource-mapping}}")
     private Map<String, String> scopesResourceMapping;
+
+    @Value("${mosip.esignet.jwt.leeway-seconds:5}")
+    private int maxClockSkew;
 
     private static Set<String> REQUIRED_CLIENT_ASSERTION_CLAIMS;
 
@@ -140,15 +143,15 @@ public void verifyClientAssertionToken(String clientId, String jwk, String clien
             throw new EsignetException(ErrorConstants.INVALID_ASSERTION);
 
         try {
-      
+
             JWSKeySelector keySelector = new JWSVerificationKeySelector(JWSAlgorithm.RS256,
                     new ImmutableJWKSet(new JWKSet(RSAKey.parse(jwk))));
             DefaultJWTClaimsVerifier claimsSetVerifier = new DefaultJWTClaimsVerifier(new JWTClaimsSet.Builder()
                     .audience(Collections.singletonList(audience))
                     .issuer(clientId)
                     .subject(clientId)
                     .build(), REQUIRED_CLIENT_ASSERTION_CLAIMS);
-            claimsSetVerifier.setMaxClockSkew(0);
+            claimsSetVerifier.setMaxClockSkew(maxClockSkew);
 
             ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor();
             jwtProcessor.setJWSKeySelector(keySelector);

diff --git a/oidc-service-impl/src/test/java/io/mosip/esignet/services/TokenServiceTest.java b/oidc-service-impl/src/test/java/io/mosip/esignet/services/TokenServiceTest.java
@@ -61,6 +61,7 @@ public void setup() {
         ReflectionTestUtils.setField(tokenService, "signatureService", getSignatureService());
         ReflectionTestUtils.setField(tokenService, "objectMapper", new ObjectMapper());
         ReflectionTestUtils.setField(tokenService, "issuerId", "test-issuer");
+        ReflectionTestUtils.setField(tokenService, "maxClockSkew", 5);
     }
 
     @Test
@@ -127,6 +128,37 @@ public void getAccessTokenWithNonce_test() throws JSONException {
         Assert.assertNotNull(jsonObject.get(C_NONCE_EXPIRES_IN));
     }
 
+    @Test(expected = InvalidRequestException.class)
+    public void verifyClientAssertionToken_withExpiredTokenNotWithinClockSkew_thenException() throws JOSEException {
+        ReflectionTestUtils.setField(tokenService, "maxClockSkew", 0);
+        JWSSigner signer = new RSASSASigner(RSA_JWK.toRSAPrivateKey());
+        JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
+                .subject("client-id")
+                .audience("audience")
+                .issueTime(new Date(System.currentTimeMillis()))
+                .expirationTime(new Date(System.currentTimeMillis() - 3000))
+                .issuer("client-id")
+                .build();
+        SignedJWT jwt = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);
+        jwt.sign(signer);
+        tokenService.verifyClientAssertionToken("client-id", RSA_JWK.toPublicJWK().toJSONString(), jwt.serialize(),"audience");
+    }
+
+    @Test
+    public void verifyClientAssertionToken_withExpiredTokenWithinClockSkew_thenPass() throws JOSEException {
+        JWSSigner signer = new RSASSASigner(RSA_JWK.toRSAPrivateKey());
+        JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
+                .subject("client-id")
+                .audience("audience")
+                .issueTime(new Date(System.currentTimeMillis()))
+                .expirationTime(new Date(System.currentTimeMillis() - 3000))
+                .issuer("client-id")
+                .build();
+        SignedJWT jwt = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);
+        jwt.sign(signer);
+        tokenService.verifyClientAssertionToken("client-id", RSA_JWK.toPublicJWK().toJSONString(), jwt.serialize(),"audience");
+    }
+
     @Test(expected = EsignetException.class)
     public void verifyClientAssertionToken_withNullAssertion_thenFail() {
         tokenService.verifyClientAssertionToken("client-id", RSA_JWK.toPublicJWK().toJSONString(), null,"audience");