Merge pull request #1 from arlandism/amw/enable-configurable-leeway

allows config for leeway of 'nbf' and 'exp'

connector/auth/jwt_token_validation.go

@@ -61,11 +61,25 @@ type TokenValidator interface {
 // JwtTokenValidator is the default implementation of TokenValidator.
 type JwtTokenValidator struct {
 	cache.AuthCache
+	jwtoptions *JWTOptions
 }
 
 // NewJwtTokenValidator returns a new TokenValidator value with an empty cache
 func NewJwtTokenValidator() TokenValidator {
-	return &JwtTokenValidator{cache.AuthCache{}}
+	return &JwtTokenValidator{cache.AuthCache{}, &JWTOptions{}}
+}
+
+type JWTOptions struct {
+	// Leeway is used to extend the allowance window
+	// for the "nbf" and "exp" claims of the token,
+	// allowing clients to loosen restrictions on *when* a token becomes valid
+	// and when it's considered expired
+	Leeway time.Duration
+}
+
+// NewJwtTokenValidatorWithOptions returns a new TokenValidator value with JWT-options configured
+func NewJwtTokenValidatorWithOptions(options *JWTOptions) TokenValidator {
+	return &JwtTokenValidator{cache.AuthCache{}, options}
 }
 
 // AuthenticateRequest authenticates the received request from connector service.
@@ -143,7 +157,7 @@ func (jv *JwtTokenValidator) getIdentity(jwtString string) (ClaimsIdentity, erro
 	}
 
 	// TODO: Add options verify_aud and verify_exp
-	token, err := jwt.Parse(jwtString, getKey)
+	token, err := jwt.Parse(jwtString, getKey, jwt.WithLeeway(jv.jwtoptions.Leeway))
 	if err != nil {
 		return nil, err
 	}

core/bot_framework_adapter.go

@@ -52,6 +52,7 @@ type AdapterSetting struct {
 	CredentialProvider auth.CredentialProvider
 	AuthClient         *http.Client
 	ReplyClient        *http.Client
+	JWTConfig          *auth.JWTOptions
 }
 
 // BotFrameworkAdapter implements Adapter and is currently the only implementation returned to the user program.
@@ -87,12 +88,18 @@ func NewBotAdapter(settings AdapterSetting) (Adapter, error) {
 		clientConfig.ReplyClient = settings.ReplyClient
 	}
 
+	var tokenValidator auth.TokenValidator
+	if settings.JWTConfig != nil {
+		tokenValidator = auth.NewJwtTokenValidatorWithOptions(settings.JWTConfig)
+	} else {
+		tokenValidator = auth.NewJwtTokenValidator()
+	}
 	connectorClient, err := client.NewClient(clientConfig)
 	if err != nil {
 		return nil, errors.Wrap(err, "Failed to create Connector Client.")
 	}
 
-	return &BotFrameworkAdapter{settings, auth.NewJwtTokenValidator(), connectorClient}, nil
+	return &BotFrameworkAdapter{settings, tokenValidator, connectorClient}, nil
 }
 
 // ProcessActivity receives an activity, processes it as specified in by the 'handler' and

go.mod

@@ -3,7 +3,7 @@ module github.com/infracloudio/msbotbuilder-go
 go 1.16
 
 require (
-	github.com/golang-jwt/jwt/v4 v4.1.0
+	github.com/golang-jwt/jwt/v4 v4.4.0
 	github.com/lestrrat-go/jwx v1.1.7
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.7.0

go.sum

@@ -6,8 +6,8 @@ github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 h1:sgNeV1VRMDzs6rzyPpxyM0jp317h
 github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0/go.mod h1:J70FGZSbzsjecRTiTzER+3f1KZLNaXkuv+yeFTKoxM8=
 github.com/goccy/go-json v0.4.8 h1:TfwOxfSp8hXH+ivoOk36RyDNmXATUETRdaNWDaZglf8=
 github.com/goccy/go-json v0.4.8/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
-github.com/golang-jwt/jwt/v4 v4.1.0 h1:XUgk2Ex5veyVFVeLm0xhusUTQybEbexJXrvPNOKkSY0=
-github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
+github.com/golang-jwt/jwt/v4 v4.4.0 h1:EmVIxB5jzbllGIjiCV5JG4VylbK3KE400tLGLI1cdfU=
+github.com/golang-jwt/jwt/v4 v4.4.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/lestrrat-go/backoff/v2 v2.0.7 h1:i2SeK33aOFJlUNJZzf2IpXRBvqBBnaGXfY5Xaop/GsE=
 github.com/lestrrat-go/backoff/v2 v2.0.7/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y=
 github.com/lestrrat-go/blackmagic v1.0.0 h1:XzdxDbuQTz0RZZEmdU7cnQxUtFUzgCSPq8RCz4BxIi4=