Change leeways to TypeSignedDurationSecond (#58)

* Change leeways to TypeSignedDurationSecond * Add better handling for all negative durations * Add test to cover negative role leeways
hashicorp · Jun 27, 2019 · 2f6106e · 2f6106e
1 parent 2c3220b
commit 2f6106e
Show file tree

Hide file tree

Showing 6 changed files with 134 additions and 72 deletions.
diff --git a/go.mod b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/go-sockaddr v1.0.2
 	github.com/hashicorp/go-uuid v1.0.1
 	github.com/hashicorp/vault/api v1.0.1
-	github.com/hashicorp/vault/sdk v0.1.12-0.20190620182832-11e0ec8bf58f
+	github.com/hashicorp/vault/sdk v0.1.12-0.20190626183508-cc3a81801f98
 	github.com/mitchellh/pointerstructure v0.0.0-20190430161007-f252a8fd71c8
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect

diff --git a/go.sum b/go.sum
@@ -71,6 +71,8 @@ github.com/hashicorp/vault/sdk v0.1.12-0.20190620162815-9c68bf2a20eb h1:TsU01ClL
 github.com/hashicorp/vault/sdk v0.1.12-0.20190620162815-9c68bf2a20eb/go.mod h1:w7Nxsfv9KNRjMc5J4WC7jDsJ2wzb/nNQa6UZWy0pyxI=
 github.com/hashicorp/vault/sdk v0.1.12-0.20190620182832-11e0ec8bf58f h1:/y7JK1groP8VTGCvg89iE57+d9sQ7PvGxcHneOGOPBU=
 github.com/hashicorp/vault/sdk v0.1.12-0.20190620182832-11e0ec8bf58f/go.mod h1:w7Nxsfv9KNRjMc5J4WC7jDsJ2wzb/nNQa6UZWy0pyxI=
+github.com/hashicorp/vault/sdk v0.1.12-0.20190626183508-cc3a81801f98 h1:28ekb7e2slhQ3rP52v8FQkEi1VOde1D7Vf3OJZSn5XA=
+github.com/hashicorp/vault/sdk v0.1.12-0.20190626183508-cc3a81801f98/go.mod h1:w7Nxsfv9KNRjMc5J4WC7jDsJ2wzb/nNQa6UZWy0pyxI=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=

diff --git a/path_login.go b/path_login.go
@@ -150,7 +150,9 @@ func (b *jwtAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d
 				latestStart = *claims.NotBefore
 			}
 			leeway := role.ExpirationLeeway.Seconds()
-			if role.ExpirationLeeway.Seconds() == 0 {
+			if role.ExpirationLeeway.Seconds() < 0 {
+				leeway = 0
+			} else if role.ExpirationLeeway.Seconds() == 0 {
 				leeway = claimDefaultLeeway
 			}
 			*claims.Expiry = jwt.NumericDate(int64(latestStart) + int64(leeway))
@@ -161,7 +163,9 @@ func (b *jwtAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d
 				*claims.NotBefore = *claims.IssuedAt
 			} else {
 				leeway := role.NotBeforeLeeway.Seconds()
-				if role.NotBeforeLeeway.Seconds() == 0 {
+				if role.NotBeforeLeeway.Seconds() < 0 {
+					leeway = 0
+				} else if role.NotBeforeLeeway.Seconds() == 0 {
 					leeway = claimDefaultLeeway
 				}
 				*claims.NotBefore = jwt.NumericDate(int64(*claims.Expiry) - int64(leeway))
@@ -179,7 +183,9 @@ func (b *jwtAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d
 		}
 
 		cksLeeway := role.ClockSkewLeeway
-		if role.ClockSkewLeeway.Seconds() == 0 {
+		if role.ClockSkewLeeway.Seconds() < 0 {
+			cksLeeway = 0
+		} else if role.ClockSkewLeeway.Seconds() == 0 {
 			cksLeeway = jwt.DefaultLeeway
 		}
 

diff --git a/path_login_test.go b/path_login_test.go
@@ -91,10 +91,7 @@ func setupBackend(t *testing.T, oidc, role_type_oidc, audience, boundClaims, bou
 		data["bound_cidrs"] = "127.0.0.42"
 	}
 
-	if defaultLeeway >= 0 {
-		data["clock_skew_leeway"] = defaultLeeway
-	}
-
+	data["clock_skew_leeway"] = defaultLeeway
 	data["expiration_leeway"] = expLeeway
 	data["not_before_leeway"] = nbfLeeway
 
@@ -717,53 +714,55 @@ func testLogin_ExpiryClaims(t *testing.T, jwks bool) {
 		DefaultLeeway int
 		ExpLeeway     int
 	}{
-		// iat, default clock_skew_leeway (60s), auto expiration leeway (150s)
-		{"auto expire leeway using iat with clock_skew_leeway", true, jwks, time.Now(), time.Time{}, time.Time{}, -1, 0},
-		{"auto expire leeway using iat with clock_skew_leeway", true, jwks, time.Now().Add(-205 * time.Second), time.Time{}, time.Time{}, -1, 0},
-		{"expired auto expire leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(-215 * time.Second), time.Time{}, time.Time{}, -1, 0},
-		{"expired auto expire leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(-500 * time.Second), time.Time{}, time.Time{}, -1, 0},
+		// iat, auto clock_skew_leeway (60s), auto expiration leeway (150s)
+		{"auto expire leeway using iat with auto clock_skew_leeway", true, jwks, time.Now().Add(-205 * time.Second), time.Time{}, time.Time{}, 0, 0},
+		{"expired auto expire leeway using iat with auto clock_skew_leeway", false, jwks, time.Now().Add(-215 * time.Second), time.Time{}, time.Time{}, 0, 0},
 
 		// iat, clock_skew_leeway (10s), auto expiration leeway (150s)
-		{"auto expire leeway using iat with clock_skew_leeway", true, jwks, time.Now(), time.Time{}, time.Time{}, 10, 0},
-		{"auto expire leeway using iat with clock_skew_leeway", true, jwks, time.Now().Add(-150 * time.Second), time.Time{}, time.Time{}, 10, 0},
-		{"expired auto expire leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(-165 * time.Second), time.Time{}, time.Time{}, 10, 0},
-		{"expired auto expire leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(-500 * time.Second), time.Time{}, time.Time{}, 10, 0},
+		{"auto expire leeway using iat with custom clock_skew_leeway", true, jwks, time.Now().Add(-150 * time.Second), time.Time{}, time.Time{}, 10, 0},
+		{"expired auto expire leeway using iat with custom clock_skew_leeway", false, jwks, time.Now().Add(-165 * time.Second), time.Time{}, time.Time{}, 10, 0},
 
-		// nbf, default clock_skew_leeway (60s), auto expiration leeway (150s)
-		{"auto expire leeway using nbf with clock_skew_leeway", true, jwks, time.Time{}, time.Now(), time.Time{}, -1, 0},
-		{"auto expire leeway using nbf with clock_skew_leeway", true, jwks, time.Time{}, time.Now().Add(-205 * time.Second), time.Time{}, -1, 0},
-		{"expired auto expire leeway using nbf with clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-215 * time.Second), time.Time{}, -1, 0},
-		{"expired auto expire leeway using nbf with clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-500 * time.Second), time.Time{}, -1, 0},
+		// iat, no clock_skew_leeway (0s), auto expiration leeway (150s)
+		{"auto expire leeway using iat with no clock_skew_leeway", true, jwks, time.Now().Add(-145 * time.Second), time.Time{}, time.Time{}, -1, 0},
+		{"expired auto expire leeway using iat with no clock_skew_leeway", false, jwks, time.Now().Add(-155 * time.Second), time.Time{}, time.Time{}, -1, 0},
+
+		// nbf, auto clock_skew_leeway (60s), auto expiration leeway (150s)
+		{"auto expire leeway using nbf with auto clock_skew_leeway", true, jwks, time.Time{}, time.Now().Add(-205 * time.Second), time.Time{}, 0, 0},
+		{"expired auto expire leeway using nbf with auto clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-215 * time.Second), time.Time{}, 0, 0},
 
 		// nbf, clock_skew_leeway (10s), auto expiration leeway (150s)
-		{"auto expire leeway using nbf with clock_skew_leeway", true, jwks, time.Time{}, time.Now(), time.Time{}, 10, 0},
-		{"auto expire leeway using nbf with clock_skew_leeway", true, jwks, time.Time{}, time.Now().Add(-145 * time.Second), time.Time{}, 10, 0},
-		{"expired auto expire leeway using nbf with clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-165 * time.Second), time.Time{}, 10, 0},
-		{"expired auto expire leeway using nbf with clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-210 * time.Second), time.Time{}, 10, 0},
+		{"auto expire leeway using nbf with custom clock_skew_leeway", true, jwks, time.Time{}, time.Now().Add(-145 * time.Second), time.Time{}, 10, 0},
+		{"expired auto expire leeway using nbf with custom clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-165 * time.Second), time.Time{}, 10, 0},
+
+		// nbf, no clock_skew_leeway (0s), auto expiration leeway (150s)
+		{"auto expire leeway using nbf with no clock_skew_leeway", true, jwks, time.Time{}, time.Now().Add(-145 * time.Second), time.Time{}, -1, 0},
+		{"expired auto expire leeway using nbf with no clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-155 * time.Second), time.Time{}, -1, 0},
 
-		// iat, default clock_skew_leeway (60s), custom expiration leeway (10s)
-		{"custom expire leeway using iat with clock_skew_leeway", true, jwks, time.Now(), time.Time{}, time.Time{}, -1, 10},
-		{"custom expire leeway using iat with clock_skew_leeway", true, jwks, time.Now().Add(-65 * time.Second), time.Time{}, time.Time{}, -1, 10},
-		{"expired custom expire leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(-75 * time.Second), time.Time{}, time.Time{}, -1, 10},
-		{"expired custom expire leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(-500 * time.Second), time.Time{}, time.Time{}, -1, 10},
+		// iat, auto clock_skew_leeway (60s), custom expiration leeway (10s)
+		{"custom expire leeway using iat with clock_skew_leeway", true, jwks, time.Now().Add(-65 * time.Second), time.Time{}, time.Time{}, 0, 10},
+		{"expired custom expire leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(-75 * time.Second), time.Time{}, time.Time{}, 0, 10},
 
 		// iat, clock_skew_leeway (10s), custom expiration leeway (10s)
-		{"custom expire leeway using iat with clock_skew_leeway", true, jwks, time.Now(), time.Time{}, time.Time{}, 10, 10},
 		{"custom expire leeway using iat with clock_skew_leeway", true, jwks, time.Now().Add(-5 * time.Second), time.Time{}, time.Time{}, 10, 10},
 		{"expired custom expire leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(-25 * time.Second), time.Time{}, time.Time{}, 10, 10},
-		{"expired custom expire leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(-100 * time.Second), time.Time{}, time.Time{}, 10, 10},
+
+		// iat, clock_skew_leeway (10s), no expiration leeway (10s)
+		{"no expire leeway using iat with clock_skew_leeway", true, jwks, time.Now().Add(-5 * time.Second), time.Time{}, time.Time{}, 10, -1},
+		{"expired no expire leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(-15 * time.Second), time.Time{}, time.Time{}, 10, -1},
 
 		// nbf, default clock_skew_leeway (60s), custom expiration leeway (10s)
-		{"custom expire leeway using nbf with clock_skew_leeway", true, jwks, time.Time{}, time.Now(), time.Time{}, -1, 10},
-		{"custom expire leeway using nbf with clock_skew_leeway", true, jwks, time.Time{}, time.Now().Add(-65 * time.Second), time.Time{}, -1, 10},
-		{"expired custom expire leeway using nbf with clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-75 * time.Second), time.Time{}, -1, 10},
-		{"expired custom expire leeway using nbf with clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-100 * time.Second), time.Time{}, -1, 10},
+		{"custom expire leeway using nbf with clock_skew_leeway", true, jwks, time.Time{}, time.Now().Add(-65 * time.Second), time.Time{}, 0, 10},
+		{"expired custom expire leeway using nbf with clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-75 * time.Second), time.Time{}, 0, 10},
 
-		// nbf, clock_skew_leeway (10s), custom custom expiration leeway (10)
-		{"custom expire leeway using nbf with clock_skew_leeway", true, jwks, time.Time{}, time.Now(), time.Time{}, 10, 10},
+		// nbf, clock_skew_leeway (10s), custom expiration leeway (0s)
 		{"custom expire leeway using nbf with clock_skew_leeway", true, jwks, time.Time{}, time.Now().Add(-5 * time.Second), time.Time{}, 10, 10},
 		{"expired custom expire leeway using nbf with clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-25 * time.Second), time.Time{}, 10, 10},
-		{"expired custom expire leeway using nbf with clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-100 * time.Second), time.Time{}, 10, 10},
+
+		// nbf, clock_skew_leeway (10s), no expiration leeway (0s)
+		{"no expire leeway using nbf with clock_skew_leeway", true, jwks, time.Time{}, time.Now().Add(-5 * time.Second), time.Time{}, 10, -1},
+		{"no expire leeway using nbf with clock_skew_leeway", true, jwks, time.Time{}, time.Now().Add(-5 * time.Second), time.Time{}, 10, -100},
+		{"expired no expire leeway using nbf with clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-15 * time.Second), time.Time{}, 10, -1},
+		{"expired no expire leeway using nbf with clock_skew_leeway", false, jwks, time.Time{}, time.Now().Add(-15 * time.Second), time.Time{}, 10, -100},
 	}
 
 	for i, tt := range tests {
@@ -798,39 +797,42 @@ func testLogin_NotBeforeClaims(t *testing.T, jwks bool) {
 		NBFLeeway     int
 	}{
 		// iat, auto clock_skew_leeway (60s), no nbf leeway (0)
-		{"no nbf leeway using exp with clock_skew_leeway", true, jwks, time.Now(), time.Time{}, time.Now(), -1, 0},
-		{"no nbf leeway using iat with clock_skew_leeway", true, jwks, time.Now().Add(55 * time.Second), time.Time{}, time.Now(), -1, 0},
-		{"not yet valid no nbf leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(65 * time.Second), time.Time{}, time.Now(), -1, 0},
-		{"not yet valid no nbf leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(100 * time.Second), time.Time{}, time.Now(), -1, 0},
+		{"no nbf leeway using iat with auto clock_skew_leeway", true, jwks, time.Now().Add(55 * time.Second), time.Time{}, time.Now(), 0, -1},
+		{"not yet valid no nbf leeway using iat with auto clock_skew_leeway", false, jwks, time.Now().Add(65 * time.Second), time.Time{}, time.Now(), 0, -1},
 
 		// iat, clock_skew_leeway (10s), no nbf leeway (0s)
-		{"no nbf leeway using iat with no clock_skew_leeway", true, jwks, time.Now(), time.Time{}, time.Time{}, 10, 0},
-		{"not yet valid no nbf leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(15 * time.Second), time.Time{}, time.Time{}, 10, 0},
-		{"not yet valid no nbf leeway using iat with clock_skew_leeway", false, jwks, time.Now().Add(60 * time.Second), time.Time{}, time.Time{}, 10, 0},
+		{"no nbf leeway using iat with custom clock_skew_leeway", true, jwks, time.Now().Add(5 * time.Second), time.Time{}, time.Time{}, 10, -1},
+		{"not yet valid no nbf leeway using iat with custom clock_skew_leeway", false, jwks, time.Now().Add(15 * time.Second), time.Time{}, time.Time{}, 10, -1},
+
+		// iat, no clock_skew_leeway (0s), nbf leeway (5s)
+		{"nbf leeway using iat with no clock_skew_leeway", true, jwks, time.Now(), time.Time{}, time.Time{}, -1, 5},
+		{"not yet valid nbf leeway using iat with no clock_skew_leeway", false, jwks, time.Now().Add(6 * time.Second), time.Time{}, time.Time{}, -1, 5},
 
 		// exp, auto clock_skew_leeway (60s), auto nbf leeway (150s)
-		{"auto nbf leeway using exp with clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now(), -1, 0},
-		{"auto nbf leeway using exp with clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now().Add(205 * time.Second), -1, 0},
-		{"not yet valid auto nbf leeway using exp with clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(215 * time.Second), -1, 0},
-		{"not yet valid auto nbf leeway using exp with clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(500 * time.Second), -1, 0},
+		{"auto nbf leeway using exp with auto clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now().Add(205 * time.Second), 0, 0},
+		{"not yet valid auto nbf leeway using exp with auto clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(215 * time.Second), 0, 0},
 
 		// exp, clock_skew_leeway (10s), auto nbf leeway (150s)
-		{"auto nbf leeway using exp with clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now(), 10, 0},
-		{"auto nbf leeway using exp with clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now().Add(150 * time.Second), 10, 0},
-		{"not yet valid auto nbf leeway using exp with clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(165 * time.Second), 10, 0},
-		{"not yet valid auto nbf leeway using exp with clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(500 * time.Second), 10, 0},
+		{"auto nbf leeway using exp with custom clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now().Add(150 * time.Second), 10, 0},
+		{"not yet valid auto nbf leeway using exp with custom clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(165 * time.Second), 10, 0},
+
+		// exp, no clock_skew_leeway (0s), auto nbf leeway (150s)
+		{"auto nbf leeway using exp with no clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now().Add(145 * time.Second), -1, 0},
+		{"not yet valid auto nbf leeway using exp with no clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(152 * time.Second), -1, 0},
 
 		// exp, auto clock_skew_leeway (60s), custom nbf leeway (10s)
-		{"custom nbf leeway using exp with clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now(), -1, 10},
-		{"custom nbf leeway using exp with clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now().Add(65 * time.Second), -1, 10},
-		{"not yet valid custom nbf leeway using exp with clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(75 * time.Second), -1, 10},
-		{"not yet valid custom nbf leeway using exp with clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(500 * time.Second), -1, 10},
+		{"custom nbf leeway using exp with auto clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now().Add(65 * time.Second), 0, 10},
+		{"not yet valid custom nbf leeway using exp with auto clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(75 * time.Second), 0, 10},
 
 		// exp, clock_skew_leeway (10s), custom nbf leeway (10s)
-		{"custom nbf leeway using exp with clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now().Add(1 * time.Second), 10, 10},
-		{"custom nbf leeway using exp with clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now().Add(15 * time.Second), 10, 10},
-		{"not yet valid custom nbf leeway using exp with clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(25 * time.Second), 10, 10},
-		{"not yet valid custom nbf leeway using exp with clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(100 * time.Second), 10, 10},
+		{"custom nbf leeway using exp with custom clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now().Add(15 * time.Second), 10, 10},
+		{"not yet valid custom nbf leeway using exp with custom clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(25 * time.Second), 10, 10},
+
+		// exp, no clock_skew_leeway (0s), custom nbf leeway (5s)
+		{"custom nbf leeway using exp with no clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now().Add(3 * time.Second), -1, 5},
+		{"custom nbf leeway using exp with no clock_skew_leeway", true, jwks, time.Time{}, time.Time{}, time.Now().Add(3 * time.Second), -100, 5},
+		{"not yet valid custom nbf leeway using exp with no clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(7 * time.Second), -1, 5},
+		{"not yet valid custom nbf leeway using exp with no clock_skew_leeway", false, jwks, time.Time{}, time.Time{}, time.Now().Add(7 * time.Second), -100, 5},
 	}
 
 	for i, tt := range tests {

diff --git a/path_role.go b/path_role.go
@@ -74,21 +74,21 @@ duration specified by this value. At each renewal, the token's
 TTL will be set to the value of this parameter.`,
 			},
 			"expiration_leeway": {
-				Type: framework.TypeDurationSecond,
+				Type: framework.TypeSignedDurationSecond,
 				Description: `Duration in seconds of leeway when validating expiration of a token to account for clock skew. 
-Defaults to 150 (2.5 minutes), minimum of 1 second.`,
+Defaults to 150 (2.5 minutes) if set to 0 and can be disabled if set to -1.`,
 				Default: claimDefaultLeeway,
 			},
 			"not_before_leeway": {
-				Type: framework.TypeDurationSecond,
+				Type: framework.TypeSignedDurationSecond,
 				Description: `Duration in seconds of leeway when validating not before values of a token to account for clock skew. 
-Defaults to 150 (2.5 minutes), minimum of 1 second..`,
+Defaults to 150 (2.5 minutes) if set to 0 and can be disabled if set to -1.`,
 				Default: claimDefaultLeeway,
 			},
 			"clock_skew_leeway": {
-				Type: framework.TypeDurationSecond,
+				Type: framework.TypeSignedDurationSecond,
 				Description: `Duration in seconds of leeway when validating all claims to account for clock skew. 
-Defaults to 60 (1 minute), minimum of 1 second.`,
+Defaults to 60 (1 minute) if set to 0 and can be disabled if set to -1.`,
 				Default: jwt.DefaultLeeway,
 			},
 			"bound_subject": {