Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support id_token leeway #20

Merged
merged 1 commit into from
Oct 10, 2019
Merged

Support id_token leeway #20

merged 1 commit into from
Oct 10, 2019

Conversation

sandrinodimattia
Copy link
Member

Description

Add support for leeway when validating the id_token. This is necessary when the time on your server is running behind on Auth0.

References

#18

@sandrinodimattia sandrinodimattia merged commit 052a4cf into master Oct 10, 2019
tusbar
tusbar reviewed Oct 10, 2019
View reviewed changes
README.md
...
},
oidcClient: {
clockTolerance: 10 // In seconds.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn’t this be in milliseconds?

Copy link

@qburnsFB qburnsFB Oct 10, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to their docs, it is in seconds.

leeway (Integer) A value in seconds; leeway to allow for clock skew with regard to JWT expiration times.

However, later in the oidc-client-settings file, it is referenced as milliseconds. So you may be correct.

Allowed leeway for id_tokens (in milliseconds).

I think the openid-client expects it in milliseconds, and auth0 sets leeway in seconds, so for consistency they did seconds and divided by 1000

client[custom.clock_tolerance] = clientSettings.clockTolerance / 1000;

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, should be milliseconds to have a consistent way to express timespan (eg: on httpTimeout it's also MS).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated the readme, thanks for letting me know.

@evansims evansims deleted the support-id_token-leeway branch July 5, 2022 20:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tusbar tusbar tusbar left review comments

@qburnsFB qburnsFB qburnsFB left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sandrinodimattia @tusbar @qburnsFB