JWT tokens, timestamps and doubles (microseconds)
Aki Tuomi
aki.tuomi at open-xchange.com
Mon Feb 14 10:32:32 UTC 2022
> On 14/02/2022 12:24 Aleš Krajník <ales.krajnik at craynic.com> wrote:
>
>
> Hi all,
>
> I am having troubles with OAuth2 setup with local introspection of JWT
> tokens.
>
> This happens, when the JWT tokens contain timestamps as doubles, with
> microseconds, for example with the following payload:
>
> {
> "aud": "caf65d650022e3eb7cce518e7526a39f",
> "jti":
> "8291efed41d2ce65ec5c59a4cbcaa285f2ca37d5b2785da56de66adbd1b8eef65495bc
> 599be5ac56",
> "iat": 1644833538.793359,
> "nbf": 1644833538.79336,
> "exp": 1644833838.773605,
> "sub": "ales at example.com",
> "scope": "email"
> }
>
> Such a JWT token produces the following error:
>
> dovecot_1 | Feb 14 10:10:46 auth: Info:
> oauth2(ales at example.com,192.168.224.2,<xWZFoffXYujAqOAC>): oauth2
> failed: Local validation failed: Malformed 'exp' field
>
> According to the RFC, the timestamps seem to be allowed to contain non-
> integer values:
>
> NumericDate
> A JSON numeric value representing the number of seconds from
> 1970-
> 01-01T00:00:00Z UTC until the specified UTC date/time, ignoring
> leap seconds. This is equivalent to the IEEE Std 1003.1, 2013
> Edition [POSIX.1] definition "Seconds Since the Epoch", in which
> each day is accounted for by exactly 86400 seconds, other than
> that non-integer values can be represented. See RFC 3339
> [RFC3339] for details regarding date/times in general and UTC in
> particular.
>
> (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-json-web-token-32#section-2)
>
> After removing the fractions, the token works well.
>
> This seems to be happening here:
> https://github.com/dovecot/core/blob/master/src/lib-oauth2/oauth2-jwt.c#L41
>
> If you agree for this to be a bug, can I fill in a bug report
> somewhere?
>
> Thank you!
>
> Best,
>
> Aleš
Thank you for your report, we'll look into this. I filed this as DOP-2753.
Aki
More information about the dovecot
mailing list