From 131ef269119add66973975d0a1a8c97d29c93e6c Mon Sep 17 00:00:00 2001
From: Garry O'Donnell <garry.o'donnell@diamond.ac.uk>
Date: Mon, 8 Apr 2024 07:59:40 +0000
Subject: [PATCH] Check iss, iat & exp when validating JWT in OPA policy

---
 policy/token.rego | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/token.rego b/policy/token.rego
index a69c51c..cf99797 100644
--- a/policy/token.rego
+++ b/policy/token.rego
@@ -22,7 +22,7 @@ jwks := fetch_jwks(jwks_url).raw_body
 valid := io.jwt.decode_verify(input.token, {
 	"cert": jwks,
 	"iss": "https://authn.diamond.ac.uk/realms/master",
-	"time": time.now_ns(),
+	"aud": "account",
 })
 
 claims := valid[2]