[OB3] Add iat claim validation for DCR requests #862
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![wso2-engineering[bot]](https://avatars.githubusercontent.com/in/1856828?s=60&v=4){kind=small}
...on/src/main/java/com/wso2/openbanking/accelerator/common/config/OpenBankingConfigParser.java
Show resolved
Hide resolved
...on/src/main/java/com/wso2/openbanking/accelerator/common/config/OpenBankingConfigParser.java
Show resolved
Hide resolved
....accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/JWTUtils.java
Show resolved
Hide resolved
....accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/JWTUtils.java
Show resolved
Hide resolved
There was a problem hiding this comment.
AI Agent Log Improvement Checklist
- The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
- Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.
✅ Before merging this pull request:
- Review all AI-generated comments for accuracy and relevance.
- Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.
| Comment | Accepted (Y/N) | Reason |
|---|---|---|
| #### Log Improvement Suggestion No: 1 | N | Replied |
| #### Log Improvement Suggestion No: 2 | N | Replied |
| #### Log Improvement Suggestion No: 3 | N | Replied |
| #### Log Improvement Suggestion No: 4 | N | Replied |
imesh94
changed the title
| long timestampSkew = java.util.concurrent.TimeUnit.SECONDS.toMillis( | ||
| OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds()); | ||
| long now = System.currentTimeMillis(); | ||
| if (iat.getTime() > now + Math.max(0, timestampSkew)) { |
There was a problem hiding this comment.
Do we need to handle the situation where this is just a number and not a valid timestamp?
There was a problem hiding this comment.
iat is sent as an epoch timestamp. So any number will be converted to a valid timestamp when it comes to this point.
There was a problem hiding this comment.
Okay. Ensure that any situation like a negative number, etc. is also handled
| } | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Why is this removed?
There was a problem hiding this comment.
Original file had 2 newlines at the end. Removed one.
3 participants
Add iat claim validation for DCR requests
Additionally, a clock skew for the validation can be added using the following config.
Issue link: #861
Doc Issue: Optional, link issue from documentation repository
Applicable Labels: Spec, product, version, type (specify requested labels)
Development Checklist
Secure Development Checklist
Testing Checklist
Automation Test Details
Conformance Tests Details
Resources
Knowledge Base: https://sites.google.com/wso2.com/open-banking/
Guides: https://sites.google.com/wso2.com/open-banking/developer-guides