add "nbf" claim in the Request Object

as per https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#rfc.section.5.2.2 Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Jun 5, 2024 · d9e9990 · d9e9990
1 parent d8dac6b
commit d9e9990
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 7 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,8 +1,5 @@
-TODO:
-- store token type to pass into oidc_http_get/post calls (bearer/dpop)
-- implement DPoP off|optional|required (default: off)
-- support server provided nonce
-- certify for OIDC and FAPI2
+06/05/2024
+- add "nbf" claim in the Request Object as per https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#rfc.section.5.2.2
 
 06/04/2024
 - add (client) support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)

diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -106,6 +106,7 @@
 #define OIDC_CLAIM_JTI "jti"
 #define OIDC_CLAIM_EXP "exp"
 #define OIDC_CLAIM_IAT "iat"
+#define OIDC_CLAIM_NBF "nbf"
 #define OIDC_CLAIM_NONCE "nonce"
 #define OIDC_CLAIM_AT_HASH "at_hash"
 #define OIDC_CLAIM_C_HASH "c_hash"

diff --git a/src/proto/request.c b/src/proto/request.c
@@ -343,6 +343,8 @@ static char *oidc_request_uri_request_object(request_rec *r, struct oidc_provide
 			    json_string(oidc_cfg_provider_issuer_get(provider)));
 	json_object_set_new(request_object->payload.value.json, OIDC_CLAIM_IAT,
 			    json_integer(apr_time_sec(apr_time_now())));
+	json_object_set_new(request_object->payload.value.json, OIDC_CLAIM_NBF,
+			    json_integer(apr_time_sec(apr_time_now())));
 	json_object_set_new(request_object->payload.value.json, OIDC_CLAIM_EXP,
 			    json_integer(apr_time_sec(apr_time_now()) + ttl));
 

diff --git a/test/test.c b/test/test.c
@@ -1040,9 +1040,9 @@ static char *test_proto_validate_nonce(request_rec *r) {
 	oidc_jose_error_t err;
 	TST_ASSERT_ERR("oidc_jwt_parse", oidc_jwt_parse(r->pool, s_jwt, &jwt, NULL, FALSE, &err), r->pool, err);
 
-	TST_ASSERT("oidc_proto_validate_nonce (1)",
+	TST_ASSERT("oidc_proto_idtoken_validate_nonce (1)",
 		   oidc_proto_idtoken_validate_nonce(r, c, oidc_cfg_provider_get(c), nonce, jwt));
-	TST_ASSERT("oidc_proto_validate_nonce (2)",
+	TST_ASSERT("oidc_proto_idtoken_validate_nonce (2)",
 		   oidc_proto_idtoken_validate_nonce(r, c, oidc_cfg_provider_get(c), nonce, jwt) == FALSE);
 
 	oidc_jwt_destroy(jwt);