Only check if iat exists and is an interger

samuelwei · samuelwei · commit 7cf4fe6e85d5 · 2025-04-29T11:10:07.000+02:00
diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -1214,7 +1214,7 @@ protected function verifyJWTClaims($claims, ?string $accessToken = null): bool
             && (!isset($claims->nonce) || $claims->nonce === $this->getNonce())
             && ( !isset($claims->exp) || ((is_int($claims->exp)) && ($claims->exp >= time() - $this->leeway)))
             && ( !isset($claims->nbf) || ((is_int($claims->nbf)) && ($claims->nbf <= time() + $this->leeway)))
-	    && ( isset($claims->iat) && ((is_int($claims->iat)) && ($claims->iat <= time() + $this->leeway)))
+	        && ( isset($claims->iat) && is_int($claims->iat))
             && ( !isset($claims->at_hash) || !isset($accessToken) || $claims->at_hash === $expected_at_hash )
         );
     }
diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php
@@ -30,6 +30,7 @@ public function getIdTokenPayload()
             'aud' => 'client-id',
             'iss' => 'issuer',
             'sub' => 'sub',
+            'iat' => time(),
         ]);
         self::assertTrue($valid);
 
@@ -38,6 +39,7 @@ public function getIdTokenPayload()
             'aud' => ['client-id'],
             'iss' => 'issuer',
             'sub' => 'sub',
+            'iat' => time(),
         ]);
         self::assertTrue($valid);
 
@@ -46,6 +48,24 @@ public function getIdTokenPayload()
             'aud' => ['ipsum'],
             'iss' => 'issuer',
             'sub' => 'sub',
+            'iat' => time(),
+        ]);
+        self::assertFalse($valid);
+
+        # iat missing
+        $valid = $client->testVerifyJWTClaims((object)[
+            'aud' => ['client-id'],
+            'iss' => 'issuer',
+            'sub' => 'sub',
+        ]);
+        self::assertFalse($valid);
+
+        # iat invalid
+        $valid = $client->testVerifyJWTClaims((object)[
+            'aud' => ['client-id'],
+            'iss' => 'issuer',
+            'sub' => 'sub',
+            'iat' => 'invalid'
         ]);
         self::assertFalse($valid);
 
@@ -127,6 +147,7 @@ public function testAuthenticateDoesNotThrowExceptionIfClaimsIsMissingNonce()
         $fakeClaims->iss = 'fake-issuer';
         $fakeClaims->aud = 'fake-client-id';
         $fakeClaims->sub = 'fake-sub';
+        $fakeClaims->iat = time();
         $fakeClaims->nonce = null;
 
         $_REQUEST['id_token'] = 'abc.123.xyz';

Original file line number	Diff line number	Diff line change
`@@ -1214,7 +1214,7 @@ protected function verifyJWTClaims($claims, ?string $accessToken = null): bool`
`1214`	`1214`	`&& (!isset($claims->nonce) \|\| $claims->nonce === $this->getNonce())`
`1215`	`1215`	`&& ( !isset($claims->exp) \|\| ((is_int($claims->exp)) && ($claims->exp >= time() - $this->leeway)))`
`1216`	`1216`	`&& ( !isset($claims->nbf) \|\| ((is_int($claims->nbf)) && ($claims->nbf <= time() + $this->leeway)))`
`1217`		`- && ( isset($claims->iat) && ((is_int($claims->iat)) && ($claims->iat <= time() + $this->leeway)))`
	`1217`	`+ && ( isset($claims->iat) && is_int($claims->iat))`
`1218`	`1218`	`&& ( !isset($claims->at_hash) \|\| !isset($accessToken) \|\| $claims->at_hash === $expected_at_hash )`
`1219`	`1219`	`);`
`1220`	`1220`	`}`