add configurable iat slack interval; increase default to 120; closes #1

zmartzone · Oct 7, 2015 · 612ce57 · 612ce57
1 parent 44f4b70
commit 612ce57
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -73,8 +73,9 @@ http {
              discovery = "https://accounts.google.com/.well-known/openid-configuration",
              client_id = "<client_id",
              client_secret = "<client_secret"
-             --authorization_params = { hd="pingidentity.com" }
+             --authorization_params = { hd="pingidentity.com" },
              --scope = "openid email profile",
+             --iat_slack = 600,
           }
 
           -- call authenticate for OpenID Connect user authentication

diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
@@ -86,7 +86,8 @@ local function openidc_validate_id_token(opts, id_token)
   end
 
   -- check issued-at timestamp
-  if id_token.iat < (os.time() - 10) then
+  local slack=opts.iat_slack and opts.iat_slack or 120
+  if id_token.iat < (os.time() - slack) then
     ngx.log(ngx.ERR, "token is not valid yet: id_token.iat=", id_token.iat, ", os.time()=", os.time())
     return false
   end