diff --git a/projects/angular-auth-oidc-client/src/lib/auth-state/auth-state.service.spec.ts b/projects/angular-auth-oidc-client/src/lib/auth-state/auth-state.service.spec.ts index 292af5259..4d9783fe9 100644 --- a/projects/angular-auth-oidc-client/src/lib/auth-state/auth-state.service.spec.ts +++ b/projects/angular-auth-oidc-client/src/lib/auth-state/auth-state.service.spec.ts @@ -367,7 +367,7 @@ describe('Auth State Service', () => { authStateService.hasIdTokenExpiredAndRenewCheckIsEnabled(config); - expect(spy).toHaveBeenCalledOnceWith('idToken', config, 30); + expect(spy).toHaveBeenCalledOnceWith('idToken', config, 30, undefined); }); it('fires event if idToken is expired', () => { diff --git a/projects/angular-auth-oidc-client/src/lib/auth-state/auth-state.service.ts b/projects/angular-auth-oidc-client/src/lib/auth-state/auth-state.service.ts index 5e937d06b..10fb6de06 100644 --- a/projects/angular-auth-oidc-client/src/lib/auth-state/auth-state.service.ts +++ b/projects/angular-auth-oidc-client/src/lib/auth-state/auth-state.service.ts @@ -118,14 +118,14 @@ export class AuthStateService { } hasIdTokenExpiredAndRenewCheckIsEnabled(configuration: OpenIdConfiguration): boolean { - const { renewTimeBeforeTokenExpiresInSeconds, enableIdTokenExpiredValidationInRenew } = configuration; + const { renewTimeBeforeTokenExpiresInSeconds, enableIdTokenExpiredValidationInRenew, disableIdTokenValidation } = configuration; if (!enableIdTokenExpiredValidationInRenew) { return false; } const tokenToCheck = this.storagePersistenceService.getIdToken(configuration); - const idTokenExpired = this.tokenValidationService.hasIdTokenExpired(tokenToCheck, configuration, renewTimeBeforeTokenExpiresInSeconds); + const idTokenExpired = this.tokenValidationService.hasIdTokenExpired(tokenToCheck, configuration, renewTimeBeforeTokenExpiresInSeconds, disableIdTokenValidation); if (idTokenExpired) { this.publicEventsService.fireEvent(EventTypes.IdTokenExpired, idTokenExpired); diff --git a/projects/angular-auth-oidc-client/src/lib/config/openid-configuration.ts b/projects/angular-auth-oidc-client/src/lib/config/openid-configuration.ts index a3f10a47c..ef0ade9e1 100644 --- a/projects/angular-auth-oidc-client/src/lib/config/openid-configuration.ts +++ b/projects/angular-auth-oidc-client/src/lib/config/openid-configuration.ts @@ -175,4 +175,6 @@ export interface OpenIdConfiguration { * The refresh token rotation is optional (rfc6749) but is more safe and hence encouraged. */ allowUnsafeReuseRefreshToken?: boolean; + /** Disable validation for id_token expiry time */ + disableIdTokenValidation?: boolean } diff --git a/projects/angular-auth-oidc-client/src/lib/validation/state-validation.service.ts b/projects/angular-auth-oidc-client/src/lib/validation/state-validation.service.ts index 809d4f9e8..cecb88fe7 100644 --- a/projects/angular-auth-oidc-client/src/lib/validation/state-validation.service.ts +++ b/projects/angular-auth-oidc-client/src/lib/validation/state-validation.service.ts @@ -51,7 +51,7 @@ export class StateValidationService { } if (callbackContext.authResult.id_token) { - const { clientId, issValidationOff, maxIdTokenIatOffsetAllowedInSeconds, disableIatOffsetValidation, ignoreNonceAfterRefresh } = + const { clientId, issValidationOff, maxIdTokenIatOffsetAllowedInSeconds, disableIatOffsetValidation, ignoreNonceAfterRefresh, disableIdTokenValidation } = configuration; toReturn.idToken = callbackContext.authResult.id_token; @@ -164,7 +164,7 @@ export class StateValidationService { return of(toReturn); } - if (!this.tokenValidationService.validateIdTokenExpNotExpired(toReturn.decodedIdToken, configuration)) { + if (!this.tokenValidationService.validateIdTokenExpNotExpired(toReturn.decodedIdToken, configuration, maxIdTokenIatOffsetAllowedInSeconds, disableIdTokenValidation)) { this.loggerService.logWarning(configuration, 'authCallback id token expired'); toReturn.state = ValidationResult.TokenExpired; this.handleUnsuccessfulValidation(configuration); diff --git a/projects/angular-auth-oidc-client/src/lib/validation/token-validation.service.ts b/projects/angular-auth-oidc-client/src/lib/validation/token-validation.service.ts index 18ed4be40..02de66027 100644 --- a/projects/angular-auth-oidc-client/src/lib/validation/token-validation.service.ts +++ b/projects/angular-auth-oidc-client/src/lib/validation/token-validation.service.ts @@ -68,15 +68,17 @@ export class TokenValidationService { // id_token C7: The current time MUST be before the time represented by the exp Claim // (possibly allowing for some small leeway to account for clock skew). - hasIdTokenExpired(token: string, configuration: OpenIdConfiguration, offsetSeconds?: number): boolean { + hasIdTokenExpired(token: string, configuration: OpenIdConfiguration, offsetSeconds?: number, disableIdTokenValidation?: boolean): boolean { const decoded = this.tokenHelperService.getPayloadFromToken(token, false, configuration); - return !this.validateIdTokenExpNotExpired(decoded, configuration, offsetSeconds); + return !this.validateIdTokenExpNotExpired(decoded, configuration, offsetSeconds, disableIdTokenValidation); } // id_token C7: The current time MUST be before the time represented by the exp Claim // (possibly allowing for some small leeway to account for clock skew). - validateIdTokenExpNotExpired(decodedIdToken: string, configuration: OpenIdConfiguration, offsetSeconds?: number): boolean { + validateIdTokenExpNotExpired(decodedIdToken: string, configuration: OpenIdConfiguration, offsetSeconds?: number, disableIdTokenValidation?: boolean): boolean { + if (disableIdTokenValidation) return true; + const tokenExpirationDate = this.tokenHelperService.getTokenExpirationDate(decodedIdToken); offsetSeconds = offsetSeconds || 0;