Merge pull request #6 from IvanJosipovic/dev

Update
IvanJosipovic · Jun 22, 2023 · 02de380 · 02de380
2 parents 026d41c + d7df3fa
commit 02de380
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/charts/oidc-guard/values.yaml b/charts/oidc-guard/values.yaml
@@ -39,19 +39,19 @@ settings:
   # Client Secret
   clientSecret: ""
 
-  # Whether access and refresh tokens should be stored in the cookie,
+  # Control if the access and refresh tokens should be stored in the cookie,
   # disable to reduce the size of the authentication cookie.
   # You may have to set 'large-client-header-buffers: 4 16k' in ingress-nginx
   saveTokensInCookie: false
 
   # Control if the audience will be validated during token validation.
-  # Validation of the audience, mitigates forwarding attacks. For example, a site that receives a token, could not replay it to another side.
+  # Validation of the audience, mitigates forwarding attacks. For example, a site that receives a token, could not replay it to another site.
   # This value can be validated at the Ingress level using /auth?aud=00000000-0000-0000-0000-000000000000
   validateAudience: false
 
   # Control if the issuer will be validated during token validation.
   # Validation of the issuer mitigates forwarding attacks that can occur when an
-  # IdentityProvider represents multiple tenants and signs tokens with the same keys.
+  # Identity Provider represents multiple tenants and signs tokens with the same keys.
   # It is possible that a token issued for the same audience could be from a different tenant.
   validateIssuer: true
 

diff --git a/src/oidc-guard/Program.cs b/src/oidc-guard/Program.cs
@@ -55,10 +55,12 @@ public static void Main(string[] args)
             o.NonceCookie.Name = settings.CookieName;
             o.ResponseType = OpenIdConnectResponseType.Code;
             o.SaveTokens = settings.SaveTokensInCookie;
+            o.TokenValidationParameters.ClockSkew = TimeSpan.FromSeconds(30);
         })
         .AddJwtBearer(o =>
         {
             o.MetadataAddress = settings.OpenIdProviderConfigurationUrl;
+            o.TokenValidationParameters.ClockSkew = TimeSpan.FromSeconds(30);
             o.TokenValidationParameters.ValidateAudience = settings.ValidateAudience;
             o.TokenValidationParameters.ValidateIssuer = settings.ValidateIssuer;
             o.TokenValidationParameters.ValidIssuers = settings.ValidIssuers;