fix(oidc-proxy): validate exp independently of MAX_TOKEN_AGE_SECONDS (#8832)#8904
Open
bzqzheng wants to merge 1 commit intoaaif-goose:mainfrom
Open
fix(oidc-proxy): validate exp independently of MAX_TOKEN_AGE_SECONDS (#8832)#8904bzqzheng wants to merge 1 commit intoaaif-goose:mainfrom
bzqzheng wants to merge 1 commit intoaaif-goose:mainfrom
Conversation
When MAX_TOKEN_AGE_SECONDS was configured, the exp check was inside an else-if branch and was never evaluated. This allowed validly-signed but expired tokens to be accepted as long as they were within the max-age window. Split the two checks into independent if statements so both must pass. Fixes aaif-goose#8832 Signed-off-by: Bright Zheng <bzqzheng@gmail.com>
Bojun-Vvibe
added a commit
to Bojun-Vvibe/oss-contributions
that referenced
this pull request
Apr 29, 2026
- aaif-goose/goose#8916 fix(bedrock): cache trailing message for stable prefix across agent turns (merge-as-is) - aaif-goose/goose#8904 fix(oidc-proxy): validate exp independently of MAX_TOKEN_AGE_SECONDS (merge-as-is — security fix with test inversion in same commit)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When
MAX_TOKEN_AGE_SECONDSis configured, theexpvalidation inoidc-proxy/src/index.jslives inside anelse ifbranch that is only reached whenMAX_TOKEN_AGE_SECONDSis not set. As a result, a validly-signed but expired token is accepted as long as it is within the max-age window.Fix
Split the two checks into independent
ifstatements so both must pass:MAX_TOKEN_AGE_SECONDS(when configured)expclaimTest
Updated the existing test that inadvertently documented the bypass behavior. The test now correctly asserts that an expired token is rejected (401 "Token expired") even when it falls within
MAX_TOKEN_AGE_SECONDS.All 8 unit tests pass:
Checklist
Fixes #8832