Tighten clock skew checks for SAML. (auth0#97)

Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option.
PMSI-AlignAlytics · Sep 21, 2018 · d79a7ff · d79a7ff
1 parent dda3ce4
commit d79a7ff
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 9 deletions.
diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js
@@ -24,6 +24,8 @@ var SAML = function (options) {
   this.options.checkExpiration = (typeof this.options.checkExpiration !== 'undefined') ? this.options.checkExpiration : true;
   // Note! It would be best to set this to true. But it's defaulting to false so as not to break login for expired certs.
   this.options.checkCertExpiration = (typeof this.options.checkCertExpiration !== 'undefined') ? this.options.checkCertExpiration : false;
+  //clockskew in minutes
+  this.options.clockSkew = (typeof this.options.clockSkew === 'number' && this.options.clockSkew >= 0) ? this.options.clockSkew : 3;
   this.options.checkAudience = (typeof this.options.checkAudience !== 'undefined') ? this.options.checkAudience : true;
   this.options.checkRecipient = (typeof this.options.checkRecipient !== 'undefined') ? this.options.checkRecipient : true;
   this.options.checkNameQualifier = (typeof this.options.checkNameQualifier !== 'undefined') ? this.options.checkNameQualifier : true;
@@ -133,15 +135,15 @@ SAML.prototype.validateCertExpiration = function (validatedSamlAssertion) {
 };
 
 SAML.prototype.validateExpiration = function (samlAssertion, version) {
-
+  var self = this;
   var conditions = xpath.select(".//*[local-name(.)='Conditions']", samlAssertion);
   if (!conditions || conditions.length === 0) return true;
 
   var notBefore = new Date(conditions[0].getAttribute('NotBefore'));
-  notBefore = notBefore.setMinutes(notBefore.getMinutes() - 5); // 5 minutes clock skew
+  notBefore = notBefore.setMinutes(notBefore.getMinutes() - self.options.clockSkew);
 
   var notOnOrAfter = new Date(conditions[0].getAttribute('NotOnOrAfter'));
-  notOnOrAfter = notOnOrAfter.setMinutes(notOnOrAfter.getMinutes() + 5); // 5 minutes clock skew
+  notOnOrAfter = notOnOrAfter.setMinutes(notOnOrAfter.getMinutes() + self.options.clockSkew);
   var now = new Date();
 
   if (now < notBefore || now > notOnOrAfter)

diff --git a/test/saml20.tests.js b/test/saml20.tests.js