jwt remove requirement for issued at claims

Remove the requirement for IssuedAt claims from JWT for now, since we do not currently have a way to provide a leeway window for validating the claims. Expiry does the same checks as IssuedAt with an expiry window. We do not need it right now since we have clock skew check in our RPC layer to handle this correctly. rpc-common.go ``` func isRequestTimeAllowed(requestTime time.Time) bool { // Check whether request time is within acceptable skew time. utcNow := UTCNow() return !(requestTime.Sub(utcNow) > rpcSkewTimeAllowed || utcNow.Sub(requestTime) > rpcSkewTimeAllowed) } ``` Once the PR upstream is merged dgrijalva/jwt-go#139 We can bring in support for leeway later. Fixes minio#5237
harshavardhana · Jan 5, 2018 · 9543726 · 9543726
1 parent cc2497f
commit 9543726
Showing 1 changed file with 4 additions and 7 deletions.
diff --git a/cmd/jwt.go b/cmd/jwt.go
@@ -63,14 +63,11 @@ func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string,
 		return "", errAuthentication
 	}
 
-	utcNow := UTCNow()
-	token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.StandardClaims{
-		ExpiresAt: utcNow.Add(expiry).Unix(),
-		IssuedAt:  utcNow.Unix(),
+	jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.StandardClaims{
+		ExpiresAt: UTCNow().Add(expiry).Unix(),
 		Subject:   accessKey,
 	})
-
-	return token.SignedString([]byte(serverCred.SecretKey))
+	return jwt.SignedString([]byte(serverCred.SecretKey))
 }
 
 func authenticateNode(accessKey, secretKey string) (string, error) {
@@ -127,7 +124,7 @@ func webRequestAuthenticate(req *http.Request) error {
 		return errAuthentication
 	}
 	if err = claims.Valid(); err != nil {
-		return err
+		return errAuthentication
 	}
 	if claims.Subject != globalServerConfig.GetCredential().AccessKey {
 		return errInvalidAccessKeyID