Skip to content

New-Jwt should include iat claim by default; enforce when MaxTokenLifetimeSeconds is set #1451

Open
Open
New-Jwt should include iat claim by default; enforce when MaxTokenLifetimeSeconds is set#1451
Labels
area-securityimpact-behaviour-changeNothing to be worried about. Now even better than before!🌐 area-remoting🛡️ vulnerability-fix
Milestone
9.0
@michaellwest

Description

@michaellwest
michaellwest
opened on Apr 7, 2026

L2: Optional nbf/iat Claims Bypass Token Lifetime Ceiling

Severity: LOW
Category: Authentication Weakness
File: src/Spe/Core/Settings/Authorization/SharedSecretAuthenticationProvider.cs
Lines: 282–284

Risk Explanation

The nbf (not-before) and iat (issued-at) claims are only validated when their value is > 0. Since long defaults to 0 when the claim is absent, an attacker can omit both claims to bypass the maximum token lifetime check (which compares exp - iat).

Tokens without iat effectively have no lifetime ceiling, even when MaxTokenLifetimeSeconds is configured. A token with exp set to the year 2099 and no iat would pass all checks.

Practical impact: Low, because the exp check still enforces an absolute expiration. However, MaxTokenLifetimeSeconds becomes ineffective.

Backward Compatibility Warning

The SPE remoting module does NOT include iat by default. In SPE.psm1 line 39:

New-Jwt -Algorithm 'HS256' -Issuer 'SPE Remoting' -Audience ... -Name $Username -SecretKey $SharedSecret -ValidforSeconds 30

Neither -IncludeIssuedAt nor -IssuedAt is passed. Enforcing iat on the server would break all existing SPE remoting clients using the default New-Jwt call.

Implementation Plan

Phase 1: Update the client module (non-breaking)

  1. Change New-Jwt.ps1 to include iat by default:

    if ($IssuedAt -ne 0) {
    $payload['iat'] = $IssuedAt
} else {
    $payload['iat'] = [datetimeoffset]::UtcNow.ToUnixTimeSeconds()
}

  2. Update SPE.psm1 line 39 to explicitly pass -IncludeIssuedAt.

Phase 2: Enforce on the server (after clients have updated)

  1. Require iat only when MaxTokenLifetimeSeconds is configured:

    if (MaxTokenLifetimeSeconds > 0 && iat == 0)
{
    PowerShellLog.Warn("[Auth] action=authFailed reason=missingIatClaim");
    return false;
}

    When MaxTokenLifetimeSeconds is 0 (default), tokens without iat are still accepted.

  2. Do NOT unconditionally require iat — this would break third-party clients.

Files to modify

File Change Phase
Modules/SPE/New-Jwt.ps1 Always include iat by default Phase 1
Modules/SPE/SPE.psm1 Add -IncludeIssuedAt to New-Jwt call Phase 1
src/Spe/Core/Settings/Authorization/SharedSecretAuthenticationProvider.cs Require iat when MaxTokenLifetimeSeconds > 0 Phase 2

Test Plan

  1. Token without iat, MaxTokenLifetimeSeconds > 0: Before fix: passes. After fix: rejected.
  2. Token with valid iat still passes.
  3. Token without iat, MaxTokenLifetimeSeconds = 0 (disabled): Still passes (backward compat).
  4. SPE remoting module generates tokens with iat after Phase 1.
  5. Backward compat test — old client against new server with MaxTokenLifetimeSeconds=0: Works.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-securityimpact-behaviour-changeNothing to be worried about. Now even better than before!🌐 area-remoting🛡️ vulnerability-fix

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions