feat: add DISABLE_REFRESH_TOKEN_NBF to disable refresh_token.nbf (#653)

sebadob · web-flow · commit 2aecf6e75178 · 2024-12-13T11:30:24.000+01:00
* add `DISABLE_REFRESH_TOKEN_NBF`

* add "catch all" error log on the `/token` endpoint

* update reference config
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,35 @@
 # Changelog
 
+## UNRELEASED
+
+### Changes
+
+Even though not recommended at all, it is not possible to opt-out of the `refresh_token` nbf claim, and disable it.
+
+By default, A `refresh_token` will not valid before `access_token_lifetime - 60 seconds`, but some (bad) client
+implementations try to refresh `access_tokens` while they are still valid for a long time. To opt-out, you get a new
+config variable:
+
+```
+# By default, `refresh_token`s will have an `nbf` claim, making them valid
+# at `access_token_lifetime - 60 seconds`. Any usage before this time will
+# result in invalidation of not only the token itself, but also all other
+# linked sessions and tokens for this user to prevent damage in case a client
+# leaked the token by accident.
+# However, there are bad / lazy client implementations that do not respect
+# either `nbf` in the `refresh_token`, or the `exp` claim in `access_token`
+# and will refresh early while the current access_token is still valid.
+# This does not only waste resources and time, but also makes it possible
+# to have multiple valid `access_token`s at the same time for the same
+# session. You should only disable the `nbf` claim if you have a good
+# reasons to do so.
+# If disabled, the `nbf` claim will still exist, but always set to *now*.
+# default: false
+DISABLE_REFRESH_TOKEN_NBF=false
+```
+
+[]()
+
 ## v0.27.1
 
 ### Bugfix
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/book/src/config/config.md b/book/src/config/config.md
@@ -62,6 +62,22 @@ deploying with Kubernetes, extract these values into Kubernetes Secrets.
 # default: false
 #DANGER_DISABLE_INTROSPECT_AUTH=false
 
+# By default, `refresh_token`s will have an `nbf` claim, making them valid
+# at `access_token_lifetime - 60 seconds`. Any usage before this time will
+# result in invalidation of not only the token itself, but also all other
+# linked sessions and tokens for this user to prevent damage in case a client
+# leaked the token by accident.
+# However, there are bad / lazy client implementations that do not respect
+# either `nbf` in the `refresh_token`, or the `exp` claim in `access_token`
+# and will refresh early while the current access_token is still valid.
+# This does not only waste resources and time, but also makes it possible
+# to have multiple valid `access_token`s at the same time for the same
+# session. You should only disable the `nbf` claim if you have a good
+# reasons to do so.
+# If disabled, the `nbf` claim will still exist, but always set to *now*.
+# default: false
+#DISABLE_REFRESH_TOKEN_NBF=false
+
 # Can be used when 'OPEN_USER_REG=true' to restrict the domains
 # for a registration. For instance, set it to
 # 'USER_REG_DOMAIN_RESTRICTION=gmail.com' to allow only
diff --git a/rauthy.cfg b/rauthy.cfg
@@ -57,6 +57,22 @@ USERINFO_STRICT=true
 # default: false
 #DANGER_DISABLE_INTROSPECT_AUTH=false
 
+# By default, `refresh_token`s will have an `nbf` claim, making them valid
+# at `access_token_lifetime - 60 seconds`. Any usage before this time will
+# result in invalidation of not only the token itself, but also all other
+# linked sessions and tokens for this user to prevent damage in case a client
+# leaked the token by accident.
+# However, there are bad / lazy client implementations that do not respect
+# either `nbf` in the `refresh_token`, or the `exp` claim in `access_token`
+# and will refresh early while the current access_token is still valid.
+# This does not only waste resources and time, but also makes it possible
+# to have multiple valid `access_token`s at the same time for the same
+# session. You should only disable the `nbf` claim if you have a good
+# reasons to do so.
+# If disabled, the `nbf` claim will still exist, but always set to *now*.
+# default: false
+#DISABLE_REFRESH_TOKEN_NBF=false
+
 # Can be used when 'OPEN_USER_REG=true' to restrict the domains for a registration. For instance, set it to
 # 'USER_REG_DOMAIN_RESTRICTION=gmail.com' to allow only registrations with 'user@gmail.com'.
 # default: ''
diff --git a/src/api/src/oidc.rs b/src/api/src/oidc.rs
@@ -907,6 +907,7 @@ pub async fn post_token(
             Ok(resp)
         }
         Err(err) => {
+            error!("{}", err.message);
             if !has_password_been_hashed {
                 return Err(err);
             }
diff --git a/src/common/src/constants.rs b/src/common/src/constants.rs
@@ -170,6 +170,10 @@ lazy_static! {
         .unwrap_or_else(|_| String::from("false"))
         .parse::<bool>()
         .expect("DANGER_DISABLE_INTROSPECT_AUTH cannot be parsed to bool - bad format");
+    pub static ref DISABLE_REFRESH_TOKEN_NBF: bool = env::var("DISABLE_REFRESH_TOKEN_NBF")
+        .unwrap_or_else(|_| String::from("false"))
+        .parse::<bool>()
+        .expect("DISABLE_REFRESH_TOKEN_NBF cannot be parsed to bool - bad format");
 
     pub static ref SEC_HEADER_BLOCK: bool = env::var("SEC_HEADER_BLOCK")
         .unwrap_or_else(|_| String::from("true"))
diff --git a/src/common/src/lib.rs b/src/common/src/lib.rs
@@ -1,7 +1,7 @@
 // Copyright 2024 Sebastian Dobe <sebastiandobe@mailbox.org>
 #![forbid(unsafe_code)]
 // needed because the lazy_static! initialization of constants grew quite a bit
-#![recursion_limit = "256"]
+#![recursion_limit = "512"]
 
 use crate::constants::DB_TYPE;
 use std::env;
diff --git a/src/service/src/token_set.rs b/src/service/src/token_set.rs
@@ -5,7 +5,8 @@ use jwt_simple::claims::Claims;
 use jwt_simple::prelude::{coarsetime, UnixTimeStamp};
 use rauthy_api_types::oidc::JktClaim;
 use rauthy_common::constants::{
-    DEVICE_GRANT_REFRESH_TOKEN_LIFETIME, ENABLE_SOLID_AUD, ENABLE_WEB_ID, REFRESH_TOKEN_LIFETIME,
+    DEVICE_GRANT_REFRESH_TOKEN_LIFETIME, DISABLE_REFRESH_TOKEN_NBF, ENABLE_SOLID_AUD,
+    ENABLE_WEB_ID, REFRESH_TOKEN_LIFETIME,
 };
 use rauthy_common::utils::base64_url_no_pad_encode;
 use rauthy_error::{ErrorResponse, ErrorResponseType};
@@ -382,7 +383,11 @@ impl TokenSet {
             did: did.clone(),
         };
 
-        let nbf = Utc::now().add(chrono::Duration::seconds(access_token_lifetime - 60));
+        let nbf = if *DISABLE_REFRESH_TOKEN_NBF {
+            Utc::now()
+        } else {
+            Utc::now().add(chrono::Duration::seconds(access_token_lifetime - 60))
+        };
         let nbf_unix = UnixTimeStamp::from_secs(nbf.timestamp() as u64);
 
         let claims =

Original file line number	Diff line number	Diff line change
`@@ -907,6 +907,7 @@ pub async fn post_token(`
`907`	`907`	`Ok(resp)`
`908`	`908`	`}`
`909`	`909`	`Err(err) => {`
	`910`	`+ error!("{}", err.message);`
`910`	`911`	`if !has_password_been_hashed {`
`911`	`912`	`return Err(err);`
`912`	`913`	`}`