JWT tokens, timestamps and doubles (microseconds)

Aleš Krajník ales.krajnik at craynic.com
Mon Feb 14 10:24:11 UTC 2022


Hi all,

I am having troubles with OAuth2 setup with local introspection of JWT
tokens.

This happens, when the JWT tokens contain timestamps as doubles, with
microseconds, for example with the following payload:

{
  "aud": "caf65d650022e3eb7cce518e7526a39f",
  "jti":
"8291efed41d2ce65ec5c59a4cbcaa285f2ca37d5b2785da56de66adbd1b8eef65495bc
599be5ac56",
  "iat": 1644833538.793359,
  "nbf": 1644833538.79336,
  "exp": 1644833838.773605,
  "sub": "ales at example.com",
  "scope": "email"
}

Such a JWT token produces the following error:

dovecot_1  | Feb 14 10:10:46 auth: Info:
oauth2(ales at example.com,192.168.224.2,<xWZFoffXYujAqOAC>): oauth2
failed: Local validation failed: Malformed 'exp' field

According to the RFC, the timestamps seem to be allowed to contain non-
integer values:

NumericDate
      A JSON numeric value representing the number of seconds from
1970-
      01-01T00:00:00Z UTC until the specified UTC date/time, ignoring
      leap seconds.  This is equivalent to the IEEE Std 1003.1, 2013
      Edition [POSIX.1] definition "Seconds Since the Epoch", in which
      each day is accounted for by exactly 86400 seconds, other than
      that non-integer values can be represented.  See RFC 3339
      [RFC3339] for details regarding date/times in general and UTC in
      particular.

(https://datatracker.ietf.org/doc/html/draft-ietf-oauth-json-web-token-32#section-2)

After removing the fractions, the token works well.

This seems to be happening here:
https://github.com/dovecot/core/blob/master/src/lib-oauth2/oauth2-jwt.c#L41

If you agree for this to be a bug, can I fill in a bug report
somewhere?

Thank you!

Best,

Aleš



More information about the dovecot mailing list