Check iss, iat & exp when validating JWT in OPA policy

DiamondLightSource · Apr 2, 2024 · 778f596 · 778f596
1 parent 5e1eada
commit 778f596
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/policy/token.rego b/policy/token.rego
@@ -19,8 +19,10 @@ jwks_url := concat("?", [jwks_endpoint, urlquery.encode_object({"kid": jwt_heade
 
 jwks := fetch_jwks(jwks_url).raw_body
 
-verified := unverified if {
-	io.jwt.verify_rs256(input.token, jwks)
-}
+valid := io.jwt.decode_verify(input.token, {
+	"cert": jwks,
+	"iss": "https://authn.diamond.ac.uk/realms/master",
+	"time": time.now_ns(),
+})
 
-claims := verified[1]
+claims := valid[2]