OidcIdTokenValidator ensures clockSkew is positive number

vishalvrv9 · jgrandja · commit 45891941b0c1 · 2019-04-10T15:17:59.000-04:00
Fixes gh-6443
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java
@@ -132,6 +132,7 @@ public OAuth2TokenValidatorResult validate(Jwt idToken) {
 	 */
 	public final void setClockSkew(Duration clockSkew) {
 		Assert.notNull(clockSkew, "clockSkew cannot be null");
+		Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0");
 		this.clockSkew = clockSkew;
 	}
 
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java
@@ -33,6 +33,7 @@
 import java.util.Map;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 /**
  * @author Rob Winch
@@ -60,6 +61,21 @@ public void validateWhenValidThenNoErrors() {
 		assertThat(this.validateIdToken()).isEmpty();
 	}
 
+
+	@Test
+	public void setClockSkewWhenNullThenThrowIllegalArgumentException() {
+		OidcIdTokenValidator idTokenValidator = new OidcIdTokenValidator(this.registration.build());
+		assertThatThrownBy(() -> idTokenValidator.setClockSkew(null))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
+	@Test
+	public void setClockSkewWhenNegativeSecondsThenThrowIllegalArgumentException() {
+		OidcIdTokenValidator idTokenValidator = new OidcIdTokenValidator(this.registration.build());
+		assertThatThrownBy(() -> idTokenValidator.setClockSkew(Duration.ofSeconds(-1)))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
 	@Test
 	public void validateWhenIssuerNullThenHasErrors() {
 		this.claims.remove(IdTokenClaimNames.ISS);

Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,7 @@ public OAuth2TokenValidatorResult validate(Jwt idToken) {`
`132`	`132`	`*/`
`133`	`133`	`public final void setClockSkew(Duration clockSkew) {`
`134`	`134`	`Assert.notNull(clockSkew, "clockSkew cannot be null");`
	`135`	`+ Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0");`
`135`	`136`	`this.clockSkew = clockSkew;`
`136`	`137`	`}`
`137`	`138`