Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.3.7.CR1, 7.3.7.GA
Affects Version/s: 7.3.4.GA
Component/s: Security
Labels:
- regression_test_only
- upstream-fixed

Blocked:
False
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
-
Release Note Text:
Undefined
Target Release:

7.3.z.GA
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/1485
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

JwtValidator is reading the exp and nbf field as a Java int instead of long:

https://github.com/wildfly-security/wildfly-elytron/blob/master/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java#L139

This means the maximum expiration date is ~January 18, 2038. Also, with Javascript a NumericDate this would be a 64-bit value. The JWT spec also leaves open the possibility of a decimal value so that should possibly be accounted for.

clones

ELY-2069 JWT token validation uses int instead of long for the dates: exp (expiration) and nbf

Resolved

is incorporated by

JBEAP-20940 (7.3.z) Upgrade WildFly Elytron from 1.10.11.Final-redhat-00001 to 1.10.12.Final-redhat-00001

Closed

Assignee:: Ilia Vassilev

Reporter:: Ilia Vassilev

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2021/02/01 7:29 PM

Updated:: 2024/08/27 1:51 PM

Resolved:: 2021/03/18 3:16 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates