On 14/02/2022 12:24 Aleš Krajník ales.krajnik@craynic.com wrote:
Hi all,
I am having troubles with OAuth2 setup with local introspection of JWT tokens.
This happens, when the JWT tokens contain timestamps as doubles, with microseconds, for example with the following payload:
{ "aud": "caf65d650022e3eb7cce518e7526a39f", "jti": "8291efed41d2ce65ec5c59a4cbcaa285f2ca37d5b2785da56de66adbd1b8eef65495bc 599be5ac56", "iat": 1644833538.793359, "nbf": 1644833538.79336, "exp": 1644833838.773605, "sub": "ales@example.com", "scope": "email" }
Such a JWT token produces the following error:
dovecot_1 | Feb 14 10:10:46 auth: Info: oauth2(ales@example.com,192.168.224.2,<xWZFoffXYujAqOAC>): oauth2 failed: Local validation failed: Malformed 'exp' field
According to the RFC, the timestamps seem to be allowed to contain non- integer values:
NumericDate A JSON numeric value representing the number of seconds from 1970- 01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds. This is equivalent to the IEEE Std 1003.1, 2013 Edition [POSIX.1] definition "Seconds Since the Epoch", in which each day is accounted for by exactly 86400 seconds, other than that non-integer values can be represented. See RFC 3339 [RFC3339] for details regarding date/times in general and UTC in particular.
(https://datatracker.ietf.org/doc/html/draft-ietf-oauth-json-web-token-32#sec...)
After removing the fractions, the token works well.
This seems to be happening here: https://github.com/dovecot/core/blob/master/src/lib-oauth2/oauth2-jwt.c#L41
If you agree for this to be a bug, can I fill in a bug report somewhere?
Thank you!
Best,
Aleš
Thank you for your report, we'll look into this. I filed this as DOP-2753.
Aki