JWT tokens, timestamps and doubles (microseconds)
Aleš Krajník
ales.krajnik at craynic.com
Mon Feb 14 10:24:11 UTC 2022
Hi all,
I am having troubles with OAuth2 setup with local introspection of JWT
tokens.
This happens, when the JWT tokens contain timestamps as doubles, with
microseconds, for example with the following payload:
{
"aud": "caf65d650022e3eb7cce518e7526a39f",
"jti":
"8291efed41d2ce65ec5c59a4cbcaa285f2ca37d5b2785da56de66adbd1b8eef65495bc
599be5ac56",
"iat": 1644833538.793359,
"nbf": 1644833538.79336,
"exp": 1644833838.773605,
"sub": "ales at example.com",
"scope": "email"
}
Such a JWT token produces the following error:
dovecot_1 | Feb 14 10:10:46 auth: Info:
oauth2(ales at example.com,192.168.224.2,<xWZFoffXYujAqOAC>): oauth2
failed: Local validation failed: Malformed 'exp' field
According to the RFC, the timestamps seem to be allowed to contain non-
integer values:
NumericDate
A JSON numeric value representing the number of seconds from
1970-
01-01T00:00:00Z UTC until the specified UTC date/time, ignoring
leap seconds. This is equivalent to the IEEE Std 1003.1, 2013
Edition [POSIX.1] definition "Seconds Since the Epoch", in which
each day is accounted for by exactly 86400 seconds, other than
that non-integer values can be represented. See RFC 3339
[RFC3339] for details regarding date/times in general and UTC in
particular.
(https://datatracker.ietf.org/doc/html/draft-ietf-oauth-json-web-token-32#section-2)
After removing the fractions, the token works well.
This seems to be happening here:
https://github.com/dovecot/core/blob/master/src/lib-oauth2/oauth2-jwt.c#L41
If you agree for this to be a bug, can I fill in a bug report
somewhere?
Thank you!
Best,
Aleš
More information about the dovecot
mailing list