verikloak 1.0.1 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 52b05250c6d7fa0c8a06ac6b3a44f0557f46218a768a662e8a8c43b7419a5849
-  data.tar.gz: 2d2ce895cf232b4dc06d1427d663b7c9fa140556515bb4fda19693a3cfb11ddf
+  metadata.gz: f694670478e8bbeff2369e0898b96a2d675e052bc19c4ac8437bfb3ff209dc52
+  data.tar.gz: 8c189a0ae636ee82ab5e0589b047327c6bd5c8360d4a40f3fcbb6ebc1491743b
 SHA512:
-  metadata.gz: 98d26aaf0061877278233968ee7fc97e6cdb188c49daa48de7e47c6e2be4c5e84d4dceab064ec4033bac9bede548f1a89cdf8222d4cf8129c2fa7395a8943fb3
-  data.tar.gz: bf11bba6fbe9a1890e188a4cb72b71dcce1da1b0f8368aee8bffb4d523f2f6c1f4f4c725b0bec8df8b1638010c5bd9499d3157337e9386518ea50cd1329e891b
+  metadata.gz: 456fb93fd6afd7376d4daedc1fe17c708d0b0c7055e5e215874418b84de69fbee048f70fc421560ae3e0296d264f5d4f0be1028382f28798531c292be7bc5ba1
+  data.tar.gz: 2f7f2107e34117cbc644b6b1c862da9521b9f1bda47a862ffb6747ad8a1bd851a3217ebc41113552684e1b67887074dfe845a14e6a0ae50cc7aaa6c4318a9665

data/CHANGELOG.md

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [1.0.2] - 2026-05-09
+
+### Fixed
+- **`iat` claim now honors `leeway`** (`TokenDecoder`): On ruby-jwt 3.x the built-in `Claims::IssuedAt` validator ignores the `leeway` option and raises `JWT::InvalidIatError` whenever `iat` is even a fraction of a second in the future. In typical OIDC deployments the IdP (e.g. Keycloak) and the Resource Server run on different hosts/containers, so `iat` is routinely a few hundred milliseconds to a few seconds ahead of the Resource Server's clock and the previously-effective leeway of `0` for `iat` produced spurious 401s. `TokenDecoder` now disables ruby-jwt's built-in `iat` check and performs its own `iat` validation that applies the configured `leeway` consistently with `exp` and `nbf`. Behaviour for tokens with `iat` further in the future than `leeway` is unchanged (still rejected with `invalid_token`). Pass `options: { verify_iat: false }` to skip the check entirely.
+- **`iat` validation now handles symbol-keyed payloads**: `verify_iat_with_leeway!` looks up both `'iat'` and `:iat`, so callers who request symbol-keyed payloads from `JWT.decode` still get the leeway-aware `iat` check applied.
+
+### Security
+- **Bumped `rack` to `>= 3.2.6` and `json` to `>= 2.19.5`** in `Gemfile.lock` to clear known advisories surfaced by `bundler-audit` (rack request-smuggling and json format-string injection).
+
+---
+
 ## [1.0.1] - 2026-02-15
 
 ### Fixed

data/README.md

@@ -336,8 +336,21 @@ config.middleware.use Verikloak::Middleware,
   }
 ```
 
-- `leeway:` sets the default skew tolerance in seconds.
-- `token_verify_options:` is passed directly to TokenDecoder (and ultimately to `JWT.decode`).
+- `leeway:` sets the default skew tolerance in seconds. It is applied to
+  `exp`, `nbf`, and `iat`. Verikloak applies leeway to `iat` itself
+  because ruby-jwt 3.x's built-in `iat` validator ignores the `leeway`
+  option; pass `token_verify_options: { verify_iat: false }` to skip the
+  `iat` check entirely.
+- `token_verify_options:` is forwarded to `TokenDecoder` (and ultimately
+  to `JWT.decode`), with the following keys handled by Verikloak rather
+  than passed through verbatim:
+  - `:leeway` — Verikloak forwards it to `JWT.decode` so it applies to
+    `exp`/`nbf`, and also uses it for its own `iat` check.
+  - `:verify_iat` — ruby-jwt's built-in `iat` validator is always
+    disabled (it ignores `:leeway` on ruby-jwt 3.x). Setting
+    `verify_iat: false` instead skips Verikloak's own `iat` check;
+    setting `verify_iat: true` (the default) keeps it enabled.
+  All other keys are forwarded to `JWT.decode` as-is.
 - If both are set, `token_verify_options[:leeway]` takes precedence.
 
 ## Performance & Caching

data/lib/verikloak/token_decoder.rb

@@ -8,7 +8,9 @@ module Verikloak
   # This class validates a JWT's signature and standard claims (`iss`, `aud`, `exp`, `nbf`, etc.)
   # using the appropriate RSA public key selected by the JWT's `kid` header.
   # Only `RS256`-signed tokens with RSA JWKs are supported.
-  # It also supports a configurable clock skew (`leeway`) to account for minor time drift.
+  # It also supports a configurable clock skew (`leeway`) to account for minor time drift,
+  # which is applied uniformly to `exp`, `nbf`, and `iat` (Verikloak applies leeway to
+  # `iat` itself because ruby-jwt 3.x's built-in `iat` validator ignores leeway).
   #
   # @example
   #   decoder = Verikloak::TokenDecoder.new(
@@ -41,7 +43,12 @@ module Verikloak
       @leeway   = leeway
       # Normalize and store verification options
       @options  = symbolize_keys(options || {})
-      @options_without_leeway = @options.except(:leeway).freeze
+      # Remove keys we manage ourselves so user-supplied values don't
+      # re-enable ruby-jwt's built-in (broken w.r.t. leeway) iat validator
+      # via the final merge in #jwt_decode_options. The user's intent for
+      # :leeway / :verify_iat is still honoured by reading from @options
+      # directly elsewhere in this class.
+      @options_for_jwt = @options.except(:leeway, :verify_iat).freeze
 
       # Build a kid-indexed hash for O(1) JWK lookup
       @jwk_by_kid = {}
@@ -118,9 +125,49 @@ module Verikloak
     # @return [Hash] Verified claims (payload).
     def decode_with_public_key(token, public_key)
       payload, = JWT.decode(token, public_key, true, jwt_decode_options)
+      verify_iat_with_leeway!(payload)
       payload
     end
 
+    # Verifies the `iat` (issued-at) claim with the configured leeway tolerance.
+    #
+    # ruby-jwt 3.x's built-in `Claims::IssuedAt` validator does not honor the
+    # `leeway` option; it raises `JWT::InvalidIatError` whenever `iat` is even
+    # a fraction of a second in the future. In OIDC deployments the IdP
+    # (e.g. Keycloak) and the Resource Server typically run on different
+    # hosts/containers with small clock skew, so `iat` is routinely a few
+    # hundred milliseconds to a few seconds in the future relative to the
+    # Resource Server's clock. To provide behaviour consistent with `exp`
+    # and `nbf` (which honor `leeway`), Verikloak performs its own `iat`
+    # check after `JWT.decode` with the configured leeway applied.
+    #
+    # Users may opt out by passing `options: { verify_iat: false }` to the
+    # decoder, in which case this check is skipped entirely.
+    #
+    # @param payload [Hash] Decoded JWT claims.
+    # @return [void]
+    # @raise [TokenDecoderError] code: 'invalid_token' when `iat` is not
+    #   numeric or is further in the future than the allowed leeway.
+    def verify_iat_with_leeway!(payload)
+      return if @options[:verify_iat] == false
+      return unless payload.is_a?(Hash)
+
+      # Support both string- and symbol-keyed payloads. Callers may pass
+      # `options: { symbolize_names: true }` which causes JWT.decode to
+      # return symbol keys; without indifferent lookup we'd silently
+      # skip iat validation while ruby-jwt's check is disabled.
+      return unless payload.key?('iat') || payload.key?(:iat)
+
+      iat = payload.key?('iat') ? payload['iat'] : payload[:iat]
+      leeway = @options.key?(:leeway) ? @options[:leeway] : @leeway
+      leeway = leeway.to_f
+
+      return if iat.is_a?(Numeric) && iat.to_f <= Time.now.to_f + leeway
+
+      raise TokenDecoderError.new('Invalid issued-at (iat) claim',
+                                  code: 'invalid_token')
+    end
+
     # Returns the verification options passed to JWT.decode.
     #
     # Enforces:
@@ -129,6 +176,15 @@ module Verikloak
     # - Expiration (`exp`) and not-before (`nbf`) checks
     # - Clock skew tolerance via `leeway`
     #
+    # NOTE: `verify_iat` is intentionally disabled here. ruby-jwt 3.x's
+    # built-in `iat` validator ignores the `leeway` option, which causes
+    # spurious `JWT::InvalidIatError` failures whenever the IdP clock is
+    # even slightly ahead of the Resource Server's clock. Verikloak
+    # re-implements the `iat` check in {#verify_iat_with_leeway!} so the
+    # configured `leeway` is honoured consistently with `exp` and `nbf`.
+    # Users may still opt out entirely by passing
+    # `options: { verify_iat: false }` to the decoder.
+    #
     # @return [Hash]
     def jwt_decode_options
       base = {
@@ -137,15 +193,17 @@ module Verikloak
         verify_iss: true,
         aud: @audience,
         verify_aud: true,
-        verify_iat: true,
+        # See note above: handled by verify_iat_with_leeway! after decode.
+        verify_iat: false,
         verify_expiration: true,
         verify_not_before: true
       }
       # options[:leeway] overrides top-level @leeway if provided
       leeway = @options.key?(:leeway) ? @options[:leeway] : @leeway
       merged = base.merge(leeway: leeway)
-      # Merge remaining options last (excluding :leeway which is already applied)
-      extra = @options_without_leeway
+      # Merge remaining options last (excluding :leeway and :verify_iat,
+      # which Verikloak manages itself — see initializer comment).
+      extra = @options_for_jwt
       merged.merge(extra)
     end
 

data/lib/verikloak/version.rb

@@ -2,5 +2,5 @@
 
 module Verikloak
   # Defines the current version of the Verikloak gem.
-  VERSION = '1.0.1'
+  VERSION = '1.0.2'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: verikloak
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - taiyaky
@@ -131,7 +131,7 @@ metadata:
   source_code_uri: https://github.com/taiyaky/verikloak
   changelog_uri: https://github.com/taiyaky/verikloak/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/taiyaky/verikloak/issues
-  documentation_uri: https://rubydoc.info/gems/verikloak/1.0.1
+  documentation_uri: https://rubydoc.info/gems/verikloak/1.0.2
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths: