lib-oauth2: jwt - Allow nbf and iat to point 1 second into future

author Timo Sirainen <timo.sirainen@open-xchange.com>

Fri, 15 Aug 2025 08:48:53 +0000 (11:48 +0300)

committer aki.tuomi <aki.tuomi@open-xchange.com>

Tue, 26 Aug 2025 07:06:20 +0000 (07:06 +0000)
author Timo Sirainen <timo.sirainen@open-xchange.com>
Fri, 15 Aug 2025 08:48:53 +0000 (11:48 +0300)
committer aki.tuomi <aki.tuomi@open-xchange.com>
Tue, 26 Aug 2025 07:06:20 +0000 (07:06 +0000)
diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c

index 61922832925087d6791d59022824bd644e1a9b92..4688796751e90ca4dcca7bf45ac70542df98758f 100644 (file)
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -499,11 +499,14 @@ oauth2_jwt_body_process(const struct oauth2_settings *set,
         } else if (ret == 0 || iat == 0)
                 iat = t0;
  
-       if (nbf > t0) {
+       /* Token could have been just generated with a server where time is
+          slightly newer than this server's time. Allow 1 second difference
+          to avoid random failures due to token being into future. */
+       if (nbf > t0 + 1) {
                 *error_r = "Token is not valid yet";
                 return -1;
         }
-       if (iat > t0) {
+       if (iat > t0 + 1) {
                 *error_r = "Token is issued in future";
                 return -1;
         }
author	Timo Sirainen <timo.sirainen@open-xchange.com>
	Fri, 15 Aug 2025 08:48:53 +0000 (11:48 +0300)
committer	aki.tuomi <aki.tuomi@open-xchange.com>
	Tue, 26 Aug 2025 07:06:20 +0000 (07:06 +0000)