From 1ca33cae7011137d25adaee1038f7b3cc7f9cc27 Mon Sep 17 00:00:00 2001
From: Joe Grandja <10884212+jgrandja@users.noreply.github.com>
Date: Thu, 10 Apr 2025 06:45:39 -0400
Subject: [PATCH] Make DPoP IatClaimValidator public to allow configuring clock
 and clockSkew

Issue gh-16574

Closes gh-16921
---
 .../jwt/DPoPProofJwtDecoderFactory.java       |  35 +-----
 .../oauth2/jwt/JwtIssuedAtValidator.java      | 109 ++++++++++++++++++
 2 files changed, 110 insertions(+), 34 deletions(-)
 create mode 100644 oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuedAtValidator.java

diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/DPoPProofJwtDecoderFactory.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/DPoPProofJwtDecoderFactory.java
index 32a5913526..9b27313e37 100644
--- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/DPoPProofJwtDecoderFactory.java
+++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/DPoPProofJwtDecoderFactory.java
@@ -19,7 +19,6 @@ package org.springframework.security.oauth2.jwt;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.time.Clock;
-import java.time.Duration;
 import java.time.Instant;
 import java.util.Base64;
 import java.util.Collections;
@@ -122,7 +121,7 @@ public final class DPoPProofJwtDecoderFactory implements JwtDecoderFactory<DPoPP
 		return (context) -> new DelegatingOAuth2TokenValidator<>(
 				new JwtClaimValidator<>("htm", context.getMethod()::equals),
 				new JwtClaimValidator<>("htu", context.getTargetUri()::equals), new JtiClaimValidator(),
-				new IatClaimValidator());
+				new JwtIssuedAtValidator(true));
 	}
 
 	private static final class JtiClaimValidator implements OAuth2TokenValidator<Jwt> {
@@ -168,36 +167,4 @@ public final class DPoPProofJwtDecoderFactory implements JwtDecoderFactory<DPoPP
 
 	}
 
-	private static final class IatClaimValidator implements OAuth2TokenValidator<Jwt> {
-
-		private final Duration clockSkew = Duration.ofSeconds(60);
-
-		private final Clock clock = Clock.systemUTC();
-
-		@Override
-		public OAuth2TokenValidatorResult validate(Jwt jwt) {
-			Assert.notNull(jwt, "DPoP proof jwt cannot be null");
-			Instant issuedAt = jwt.getIssuedAt();
-			if (issuedAt == null) {
-				OAuth2Error error = createOAuth2Error("iat claim is required.");
-				return OAuth2TokenValidatorResult.failure(error);
-			}
-
-			// Check time window of validity
-			Instant now = Instant.now(this.clock);
-			Instant notBefore = now.minus(this.clockSkew);
-			Instant notAfter = now.plus(this.clockSkew);
-			if (issuedAt.isBefore(notBefore) || issuedAt.isAfter(notAfter)) {
-				OAuth2Error error = createOAuth2Error("iat claim is invalid.");
-				return OAuth2TokenValidatorResult.failure(error);
-			}
-			return OAuth2TokenValidatorResult.success();
-		}
-
-		private static OAuth2Error createOAuth2Error(String reason) {
-			return new OAuth2Error(OAuth2ErrorCodes.INVALID_DPOP_PROOF, reason, null);
-		}
-
-	}
-
 }
diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuedAtValidator.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuedAtValidator.java
new file mode 100644
index 0000000000..2b7a5a8c58
--- /dev/null
+++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuedAtValidator.java
@@ -0,0 +1,109 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.jwt;
+
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
+
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.util.Assert;
+
+/**
+ * An {@link OAuth2TokenValidator} responsible for validating the {@link JwtClaimNames#IAT
+ * "iat"} claim in the {@link Jwt}.
+ *
+ * @author Joe Grandja
+ * @since 6.5
+ * @see OAuth2TokenValidator
+ * @see Jwt
+ * @see <a target="_blank" href="https://datatracker.ietf.org/doc/html/rfc7519">JSON Web
+ * Token (JWT)</a>
+ */
+public final class JwtIssuedAtValidator implements OAuth2TokenValidator<Jwt> {
+
+	private final boolean required;
+
+	private Duration clockSkew = Duration.ofSeconds(60);
+
+	private Clock clock = Clock.systemUTC();
+
+	/**
+	 * Constructs a {@code JwtIssuedAtValidator} with the defaults.
+	 */
+	public JwtIssuedAtValidator() {
+		this(false);
+	}
+
+	/**
+	 * Constructs a {@code JwtIssuedAtValidator} using the provided parameters.
+	 * @param required {@code true} if the {@link JwtClaimNames#IAT "iat"} claim is
+	 * REQUIRED in the {@link Jwt}, {@code false} otherwise
+	 */
+	public JwtIssuedAtValidator(boolean required) {
+		this.required = required;
+	}
+
+	@Override
+	public OAuth2TokenValidatorResult validate(Jwt jwt) {
+		Assert.notNull(jwt, "jwt cannot be null");
+		Instant issuedAt = jwt.getIssuedAt();
+		if (issuedAt == null && this.required) {
+			OAuth2Error error = createOAuth2Error("iat claim is required.");
+			return OAuth2TokenValidatorResult.failure(error);
+		}
+
+		if (issuedAt != null) {
+			// Check time window of validity
+			Instant now = Instant.now(this.clock);
+			Instant notBefore = now.minus(this.clockSkew);
+			Instant notAfter = now.plus(this.clockSkew);
+			if (issuedAt.isBefore(notBefore) || issuedAt.isAfter(notAfter)) {
+				OAuth2Error error = createOAuth2Error("iat claim is invalid.");
+				return OAuth2TokenValidatorResult.failure(error);
+			}
+		}
+		return OAuth2TokenValidatorResult.success();
+	}
+
+	/**
+	 * Sets the clock skew. The default is 60 seconds.
+	 * @param clockSkew the clock skew
+	 */
+	public void setClockSkew(Duration clockSkew) {
+		Assert.notNull(clockSkew, "clockSkew cannot be null");
+		Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0");
+		this.clockSkew = clockSkew;
+	}
+
+	/**
+	 * Sets the {@link Clock} used in {@link Instant#now(Clock)}.
+	 * @param clock the clock
+	 */
+	public void setClock(Clock clock) {
+		Assert.notNull(clock, "clock cannot be null");
+		this.clock = clock;
+	}
+
+	private static OAuth2Error createOAuth2Error(String reason) {
+		return new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN, reason, null);
+	}
+
+}