Summary
During security edge case testing, it was discovered that the server does not validate the JWT nbf (not before) claim. Tokens with a future nbf timestamp are accepted.
Current Behavior
Tokens with a nbf claim set to a future time are accepted and processed normally.
Expected Behavior
Tokens should be rejected with 401 Unauthorized if the current time is before the nbf claim value.
Security Impact
Low-Medium: While this is generally low risk since tokens are still validated for expiration (exp), proper nbf validation is a defense-in-depth measure that prevents early use of tokens that may have been generated in advance.
Technical Details
- Location: JWT validation in Micronaut Security
- Test Reference:
SecurityEdgeCasesTest.tokenNotYetValid_documentsNbfBehavior()
- Configuration: May require enabling nbf validation in Micronaut JWT configuration
Suggested Fix
Enable nbf claim validation in the Micronaut security configuration. This may involve:
- Adding
token.jwt.claims.nbf.validate: true or similar configuration
- Or implementing a custom claim validator
Labels
Summary
During security edge case testing, it was discovered that the server does not validate the JWT
nbf(not before) claim. Tokens with a futurenbftimestamp are accepted.Current Behavior
Tokens with a
nbfclaim set to a future time are accepted and processed normally.Expected Behavior
Tokens should be rejected with
401 Unauthorizedif the current time is before thenbfclaim value.Security Impact
Low-Medium: While this is generally low risk since tokens are still validated for expiration (
exp), propernbfvalidation is a defense-in-depth measure that prevents early use of tokens that may have been generated in advance.Technical Details
SecurityEdgeCasesTest.tokenNotYetValid_documentsNbfBehavior()Suggested Fix
Enable
nbfclaim validation in the Micronaut security configuration. This may involve:token.jwt.claims.nbf.validate: trueor similar configurationLabels