Normalizing temporal claims to avoid parsing issues.

Author: rfc3092

libs/texas/src/main/java/no/nav/dolly/libs/texas/TexasTokenIntrospector.java

@@ -15,9 +15,11 @@
 import tools.jackson.databind.JsonNode;
 import tools.jackson.databind.ObjectMapper;
 
+import java.time.Instant;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.Map;
 import java.util.Optional;
 import java.util.stream.Stream;
 
@@ -73,8 +75,9 @@ private Mono<OAuth2AuthenticatedPrincipal> parseAndValidate(String introspection
 
             // Extract all claims from the introspection result.
             var attributes = objectMapper.convertValue(root, new TypeReference<HashMap<String, Object>>() {});
+            normalizeTemporalClaims(attributes);
 
-            // Build "scope" or "roles" claim in second argument, for role based authorization? Check token.
+            // Authorities are intentionally empty; access is enforced by authenticated token validation.
             return Mono.just(new OAuth2IntrospectionAuthenticatedPrincipal(attributes, Collections.emptyList()));
 
         } catch (Exception e) {
@@ -84,6 +87,30 @@ private Mono<OAuth2AuthenticatedPrincipal> parseAndValidate(String introspection
 
     }
 
+    private void normalizeTemporalClaims(Map<String, Object> attributes) {
+        normalizeTemporalClaim(attributes, "exp");
+        normalizeTemporalClaim(attributes, "iat");
+        normalizeTemporalClaim(attributes, "nbf");
+    }
+
+    private void normalizeTemporalClaim(Map<String, Object> attributes, String claimName) {
+        Optional
+                .ofNullable(attributes.get(claimName))
+                .ifPresent(value -> {
+                    if (value instanceof Number numberValue) {
+                        attributes.put(claimName, Instant.ofEpochSecond(numberValue.longValue()));
+                        return;
+                    }
+                    if (value instanceof String stringValue) {
+                        try {
+                            attributes.put(claimName, Instant.ofEpochSecond(Long.parseLong(stringValue)));
+                        } catch (NumberFormatException ignored) {
+                            log.warn("Could not parse claim '{}' as epoch seconds", claimName);
+                        }
+                    }
+                });
+    }
+
 
     /**
      * Applies opaque token-based resource server security to the given {@link ServerHttpSecurity} builder.

libs/texas/src/test/java/no/nav/dolly/libs/texas/TexasTokenIntrospectorTest.java

@@ -5,6 +5,7 @@
 import reactor.core.publisher.Mono;
 import tools.jackson.databind.ObjectMapper;
 
+import java.time.Instant;
 import java.util.List;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -27,6 +28,8 @@ void shouldParseIntrospectionResultIntoPlainAttributeTypes() {
                           "active": true,
                           "preferred_username": "user@nav.no",
                           "exp": 1779285182,
+                          "iat": 1779280200,
+                          "nbf": 1779280200,
                           "groups": ["group-1", "group-2"]
                         }
                         """));
@@ -40,7 +43,11 @@ void shouldParseIntrospectionResultIntoPlainAttributeTypes() {
         assertThat(principal.<String>getAttribute("preferred_username"))
                 .isEqualTo("user@nav.no");
         assertThat(principal.<Object>getAttribute("exp"))
-                .isInstanceOf(Number.class);
+                .isEqualTo(Instant.ofEpochSecond(1779285182));
+        assertThat(principal.<Object>getAttribute("iat"))
+                .isEqualTo(Instant.ofEpochSecond(1779280200));
+        assertThat(principal.<Object>getAttribute("nbf"))
+                .isEqualTo(Instant.ofEpochSecond(1779280200));
         assertThat(principal.<List<String>>getAttribute("groups"))
                 .isEqualTo(List.of("group-1", "group-2"));