From 6072fd93686c1f34eb5131a13527b95eca4d534d Mon Sep 17 00:00:00 2001
From: Ivan Josipovic <9521987+IvanJosipovic@users.noreply.github.com>
Date: Mon, 19 Jun 2023 18:32:33 -0700
Subject: [PATCH 1/2] chore: update docs

---
 charts/oidc-guard/values.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/charts/oidc-guard/values.yaml b/charts/oidc-guard/values.yaml
index f493211..1867a2a 100644
--- a/charts/oidc-guard/values.yaml
+++ b/charts/oidc-guard/values.yaml
@@ -39,19 +39,19 @@ settings:
   # Client Secret
   clientSecret: ""
 
-  # Whether access and refresh tokens should be stored in the cookie,
+  # Control if the access and refresh tokens should be stored in the cookie,
   # disable to reduce the size of the authentication cookie.
   # You may have to set 'large-client-header-buffers: 4 16k' in ingress-nginx
   saveTokensInCookie: false
 
   # Control if the audience will be validated during token validation.
-  # Validation of the audience, mitigates forwarding attacks. For example, a site that receives a token, could not replay it to another side.
+  # Validation of the audience, mitigates forwarding attacks. For example, a site that receives a token, could not replay it to another site.
   # This value can be validated at the Ingress level using /auth?aud=00000000-0000-0000-0000-000000000000
   validateAudience: false
 
   # Control if the issuer will be validated during token validation.
   # Validation of the issuer mitigates forwarding attacks that can occur when an
-  # IdentityProvider represents multiple tenants and signs tokens with the same keys.
+  # Identity Provider represents multiple tenants and signs tokens with the same keys.
   # It is possible that a token issued for the same audience could be from a different tenant.
   validateIssuer: true
 

From d7df3fa1c651af55c02604a7885f6af4818fd161 Mon Sep 17 00:00:00 2001
From: Ivan Josipovic <9521987+IvanJosipovic@users.noreply.github.com>
Date: Mon, 19 Jun 2023 18:38:55 -0700
Subject: [PATCH 2/2] fix: lower jwt clock skew from 5min to 30s

---
 src/oidc-guard/Program.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/oidc-guard/Program.cs b/src/oidc-guard/Program.cs
index ce0b566..a0a5ac1 100644
--- a/src/oidc-guard/Program.cs
+++ b/src/oidc-guard/Program.cs
@@ -55,10 +55,12 @@ public static void Main(string[] args)
             o.NonceCookie.Name = settings.CookieName;
             o.ResponseType = OpenIdConnectResponseType.Code;
             o.SaveTokens = settings.SaveTokensInCookie;
+            o.TokenValidationParameters.ClockSkew = TimeSpan.FromSeconds(30);
         })
         .AddJwtBearer(o =>
         {
             o.MetadataAddress = settings.OpenIdProviderConfigurationUrl;
+            o.TokenValidationParameters.ClockSkew = TimeSpan.FromSeconds(30);
             o.TokenValidationParameters.ValidateAudience = settings.ValidateAudience;
             o.TokenValidationParameters.ValidateIssuer = settings.ValidateIssuer;
             o.TokenValidationParameters.ValidIssuers = settings.ValidIssuers;