Merge da8ea015b7 into 2c5827061f

README.md

@@ -236,7 +236,7 @@ with:
 
 You can configure trust between your own OIDC Provider and Vault
 with the JWT auth method. Provide a `role` & `jwtPrivateKey` parameters,
-additionally you can pass `jwtKeyPassword` & `jwtTtl` parameters
+additionally you can pass `jwtKeyPassword`, `jwtTtl`, & `jwtIat` parameters.
 
 ```yaml
 with:
@@ -247,6 +247,7 @@ with:
   jwtPrivateKey: ${{ secrets.JWT_PRIVATE_KEY }}
   jwtKeyPassword: ${{ secrets.JWT_KEY_PASS }}
   jwtTtl: 3600 # 1 hour, default value
+  jwtIat: 60 # 1 min, default value.  Negative int postdates
 ```
 
 ### Kubernetes

action.yml

@@ -89,6 +89,10 @@ inputs:
     description: 'Time in seconds, after which token expires'
     required: false
     default: 3600
+  jwtIat:
+    description: 'Number of seconds (int) to predate the token issued at (iat).'
+    required: false
+    default: 60
   secretEncodingType:
     description: 'The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8'
     required: false

integrationTests/basic/jwt_auth.test.js

@@ -44,7 +44,7 @@ function mockGithubOIDCResponse(aud= "https://github.com/hashicorp/vault-action"
         ref_type: "branch",
         job_workflow_ref: "hashicorp/vault-action/.github/workflows/workflow.yml@refs/heads/main",
         iss: 'vault-action',
-        iat: now,
+        iat: now - 60,
         nbf: now,
         exp: now + 3600,
     };

src/auth.js

@@ -34,6 +34,7 @@ async function retrieveToken(method, client) {
             const privateKey = Buffer.from(privateKeyRaw, 'base64').toString();
             const keyPassword = core.getInput('jwtKeyPassword', { required: false });
             const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour
+            const tokenIat = core.getInput('jwtIat', { required: false }) || '60';
             const githubAudience = core.getInput('jwtGithubAudience', { required: false });
 
             if (!privateKey) {
@@ -42,7 +43,7 @@ async function retrieveToken(method, client) {
                     return result;
                 });
             } else {
-                jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
+                jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl), Number(tokenIat));
             }
 
             return await getClientToken(client, method, path, { jwt: jwt, role: role });
@@ -84,14 +85,15 @@ async function retrieveToken(method, client) {
  * @param {string} privateKey
  * @param {string} keyPassword
  * @param {number} ttl
+ * @param {number} iat
  */
-function generateJwt(privateKey, keyPassword, ttl) {
+function generateJwt(privateKey, keyPassword, ttl, iat) {
     const alg = 'RS256';
     const header = { alg: alg, typ: 'JWT' };
     const now = rsasign.KJUR.jws.IntDate.getNow();
     const payload = {
         iss: 'vault-action',
-        iat: now,
+        iat: now - iat,
         nbf: now,
         exp: now + ttl,
         event: process.env.GITHUB_EVENT_NAME,