Add and document iat issued date claim

kzu · kzu · commit 6e4751c6874a · 2024-05-14T19:43:58.000-03:00
diff --git a/docs/spec/1.0.0-rc.md b/docs/spec/1.0.0-rc.md
@@ -47,6 +47,7 @@ a manifest in JWT (JSON Web Token) format containing the following claims:
 | ----------- | ----------- |
 | `iss`       | [Standard claim](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.1) containing the URL of the backend that issues sponsor manifests |
 | `aud`       | [Standard claim](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3) containing one or more URLs of the supported sponsoring platforms |
+| `iat`       | [Standard claim](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6) containing the time the manifest was issued at |
 | `sub_jwk`   | [Standard claim](https://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedResponse) containing the public key (JWK) that can be used to check the signature of issued sponsor manifests |
 | `pub`       | Custom claim containing the Base64-encoded public key in `sub_jwt` for easier consumption. |
 
@@ -62,6 +63,7 @@ The following is an example of a sponsorable manifest:
 {
   "iss": "https://sponsorlink.devlooped.com/",
   "aud": "https://github.com/sponsors/devlooped",
+  "iat": 1696118400,
   "pub": "MII...=",
   "sub_jwk": {
     "e": "AQAB",
@@ -80,10 +82,11 @@ that the sponsorable issuer provides to the sponsor, containing the following cl
 | ----------- | ----------- |
 | `iss`       | The token [issuer](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.1), matching the sponsorable manifest issuer claim |
 | `aud`       | The [audience](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3) URL(s) from the sponsorable manifest |
+| `iat`       | The [time the manifest was issued at](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6) |
 | `sub`       | The [subject](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.2) claim, which is the sponsor account (i.e. user GitHub login) |
 | `roles`     | The sponsoring [roles](https://www.rfc-editor.org/rfc/rfc9068.html#section-7.2.1.1) of the authenticated user (e.g. team, org, user, contrib) |
-| `email`     | The sponsor's email(s) |
-| `exp`       | The token's expiration date |
+| `email`     | The sponsor's email(s) [standard claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) |
+| `exp`       | The token's [expiration date](https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.4) |
 
 {: .note }
 > Tools can fetch the sponsorable manifest from `[iss]/jwt` for verification of the sponsor manifest signature.
diff --git a/src/Core/SponsorableManifest.cs b/src/Core/SponsorableManifest.cs
@@ -153,6 +153,8 @@ public string ToJwt(SigningCredentials? signing = default)
                 .Concat(Audience.Select(x => new Claim("aud", x)))
                 .Concat(
                 [
+                    // See https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.6
+                    new("iat", Math.Truncate((DateTime.UtcNow - DateTime.UnixEpoch).TotalSeconds).ToString()),
                     new("client_id", ClientId),
                     // non-standard claim containing the base64-encoded public key
                     new("pub", PublicKey),
@@ -191,7 +193,10 @@ public string Sign(IEnumerable<Claim> claims, RsaSecurityKey? key = default, Tim
                 DateTime.UtcNow.Millisecond,
                 DateTimeKind.Utc);
 
-        var tokenClaims = claims.ToList();
+        var tokenClaims = claims.Where(x => x.Type != "iat").ToList();
+
+        // See https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.6
+        tokenClaims.Add(new("iat", Math.Truncate((DateTime.UtcNow - DateTime.UnixEpoch).TotalSeconds).ToString()));
 
         if (tokenClaims.Find(c => c.Type == "iss") is { } issuer)
         {
