From 45891941b0c1fa705c3ad9c0b324fb0c8078dd0f Mon Sep 17 00:00:00 2001
From: Vishal Raj <vishalraj1802@gmail.com>
Date: Thu, 7 Feb 2019 23:46:17 +0530
Subject: [PATCH] OidcIdTokenValidator ensures clockSkew is positive number

Fixes gh-6443
---
 .../authentication/OidcIdTokenValidator.java     |  1 +
 .../OidcIdTokenValidatorTests.java               | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java
index e5d31dafc7..8d086a0d92 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java
@@ -132,6 +132,7 @@ public final class OidcIdTokenValidator implements OAuth2TokenValidator<Jwt> {
 	 */
 	public final void setClockSkew(Duration clockSkew) {
 		Assert.notNull(clockSkew, "clockSkew cannot be null");
+		Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0");
 		this.clockSkew = clockSkew;
 	}
 
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java
index ef0084ae1b..5ef5f7d25f 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java
@@ -33,6 +33,7 @@ import java.util.HashMap;
 import java.util.Map;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 /**
  * @author Rob Winch
@@ -60,6 +61,21 @@ public class OidcIdTokenValidatorTests {
 		assertThat(this.validateIdToken()).isEmpty();
 	}
 
+
+	@Test
+	public void setClockSkewWhenNullThenThrowIllegalArgumentException() {
+		OidcIdTokenValidator idTokenValidator = new OidcIdTokenValidator(this.registration.build());
+		assertThatThrownBy(() -> idTokenValidator.setClockSkew(null))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
+	@Test
+	public void setClockSkewWhenNegativeSecondsThenThrowIllegalArgumentException() {
+		OidcIdTokenValidator idTokenValidator = new OidcIdTokenValidator(this.registration.build());
+		assertThatThrownBy(() -> idTokenValidator.setClockSkew(Duration.ofSeconds(-1)))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
 	@Test
 	public void validateWhenIssuerNullThenHasErrors() {
 		this.claims.remove(IdTokenClaimNames.ISS);