problem with validating auth_time claim in JWT issued by ADFS on Windows Server 2016

[dstelts]

Hi,
This may be more of a problem w/ ADFS (and it usually is) but it was issuing an auth_time claim for access tokens as an ISO-8601 string instead of a UNIX timestamp:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "..."
}.{
  "aud": "...",
  "iss": "...",
  "iat": 1584215370,
  "exp": 1584218970,
  "upn": "...",
  "apptype": "Confidential",
  "appid": "...",
  "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
  "auth_time": "2020-03-14T18:52:01.180Z",
  "ver": "1.0",
  "scp": "openid"
}.[Signature]

This caused JWT.verify() to throw (rightly so) since auth_time wasn't in the expected format. You could do something like this in lib/jwt/verify.js to work around it:

const validateTypes = ({ header, payload }, profile, options) => {
  isPayloadString(header.alg, '"alg" header parameter', 'alg', true)

  isTimestamp(payload.iat, 'iat', profile === IDTOKEN || profile === LOGOUTTOKEN || !!options.maxTokenAge)
  isTimestamp(payload.exp, 'exp', profile === IDTOKEN || profile === ATJWT)

  // NOTE: Transforming the auth_time claim if it is an ISO-8601 string:
  if (payload.auth_time && typeof payload.auth_time === 'string') {
    payload.auth_time = Math.floor((new Date(payload.auth_time).valueOf()) / 1000)
  }

  isTimestamp(payload.auth_time, 'auth_time', !!options.maxAuthAge)
  // ...

Oddly enough, the ID tokens issued by ADFS don't have this problem. Anyway, this is a great lib and has been very helpful w/ validating JWT bearer tokens. Keep up the good work.
Thanks,
Dave Stelts

[panva]

Hi Dave,

Keep up the good work.

Thanks

This caused JWT.verify() to throw (rightly so) since auth_time wasn't in the expected format.

Exactly what i'd expect.

You could do something like this in lib/jwt/verify.js to work around it

We could, but IdP specific quirk and bug workarounds that add code surface on the account of someone not following IANA aren't something i consider for my libraries.