OidcIdTokenValidator ensures clockSkew is positive number

Fixes gh-6443

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java

@@ -132,6 +132,7 @@ public final class OidcIdTokenValidator implements OAuth2TokenValidator<Jwt> {
 	 */
 	public final void setClockSkew(Duration clockSkew) {
 		Assert.notNull(clockSkew, "clockSkew cannot be null");
+		Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0");
 		this.clockSkew = clockSkew;
 	}
 

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java

@@ -33,6 +33,7 @@ import java.util.HashMap;
 import java.util.Map;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 /**
  * @author Rob Winch
@@ -60,6 +61,21 @@ public class OidcIdTokenValidatorTests {
 		assertThat(this.validateIdToken()).isEmpty();
 	}
 
+
+	@Test
+	public void setClockSkewWhenNullThenThrowIllegalArgumentException() {
+		OidcIdTokenValidator idTokenValidator = new OidcIdTokenValidator(this.registration.build());
+		assertThatThrownBy(() -> idTokenValidator.setClockSkew(null))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
+	@Test
+	public void setClockSkewWhenNegativeSecondsThenThrowIllegalArgumentException() {
+		OidcIdTokenValidator idTokenValidator = new OidcIdTokenValidator(this.registration.build());
+		assertThatThrownBy(() -> idTokenValidator.setClockSkew(Duration.ofSeconds(-1)))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
 	@Test
 	public void validateWhenIssuerNullThenHasErrors() {
 		this.claims.remove(IdTokenClaimNames.ISS);