Use provided date for token validation

[ttkaae]

What is the problem?
Our company is in the logistics industry and therefore it is sometimes easier for our agents to assist their clients if they set their own computers to the client's timezone since a lot of the logic depends on the time of day and date of year.

Description of the problem
By manipulating the computer's client date and time, it causes issues with the token validation. Currently, on the JwksValidationHandler on angular-oauth2-oidc, it (jsrsasign) uses the current client date to validate the token despite of the library providing a custom DateTimeProvider.
It means that if the client has set their computer time 5 hours ahead of their actual time and our token lifetime is 4 hours, our refresh logic means that the app goes into an infinite loop because it uses the computer's time instead of the actual, calibrated client date (utc from our server).

It is this part of the code that needs to include the verifyAt property with the actual client date to address the issue

export class JwksValidationHandler extends AbstractValidationHandler {

..

    let keyObj = rs.KEYUTIL.getKey(key);
    let validationOptions = {
      alg: this.allowedAlgorithms,
      gracePeriod: this.gracePeriodInSec,
      verifyAt: realTime  <== needed since the jsrsasign uses Date.now() instead of whatever is provided by `DateTimeProvider`
    };
    let isValid = rs.KJUR.jws.JWS.verifyJWT(
      params.idToken,
      keyObj,
      validationOptions,
    );

Suggestions on how to approach and solve it
I have been thinking about different ways of solving this

1. Provide the Injector instance in the constructor so that the JwksValidationHandler can get the date from the provider and set the verifyAt property, ie

constructor(
private injector?: Injector
){}

    let validationOptions = {
      alg: this.allowedAlgorithms,
      gracePeriod: this.gracePeriodInSec,
verifyAt: (this.injector?.get(DatetimeProvider).now() || Date.now()).getTime() / 1000
    };

This solution has the advantage of having the date logic "baked in" if the injector instance is provided in the implementation.

2. Parse in validationOptions in the constructor and merge with the current options object, ie

constructor(
private customValidationOptions?: object <==>  ie., {verifyAt: this.injector.get(DatetimeProvider).now()}
){}


    let validationOptions = {
      alg: this.allowedAlgorithms,
      gracePeriod: this.gracePeriodInSec,
...this.customValidationOptions
    };

This approach gives more flexibility but requires more from the implementation. On the other hand it keeps the JwksValidationHandler class non-agnostic to Angular

I'm not sure which approach is preferred or if both are valid.

Other enhancements

• it could also be nice if all functions were public on the JwksValidationHandler class so that it is easier to extend it for custom implementations
• The jsrsasign functions should be separated for cleaner code and to mitigate the need of adding it as a dependency on a custom extension class. The rs namespace should be available through oidc