Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a five minute buffer to all expiration checks #141

Closed
theacodes opened this issue Mar 23, 2017 · 7 comments
Closed

Add a five minute buffer to all expiration checks #141

theacodes opened this issue Mar 23, 2017 · 7 comments
Assignees
@theacodes
Labels
🚨 This issue needs some love. triage me I really want to be triaged.
Milestone
1.0.0

Comments

@theacodes
Copy link
Contributor

No description provided.

@theacodes theacodes added the bug label Mar 23, 2017
@theacodes theacodes added this to the 1.0.0 milestone Mar 23, 2017
@theacodes theacodes self-assigned this Mar 23, 2017
@dhermes
Copy link
Contributor

dhermes commented Mar 23, 2017

Isn't this already built in? From the oauth2client codebase:

CLOCK_SKEW_SECS = 300  # 5 minutes in seconds

@theacodes
Copy link
Contributor Author

I left it out when I wrote this library. :)

@dhermes
Copy link
Contributor

dhermes commented Mar 23, 2017

But that's built into the spec, i.e. it wasn't just a quirk of oauth2client.

@theacodes
Copy link
Contributor Author

Which spec? I don't remember reading about that. I might have overlooked it.

There's also an internal debating on-going about what the interval should be. :)

@dhermes
Copy link
Contributor

dhermes commented Mar 23, 2017

Not sure which spec? Tried googling just now and gave up.

@theacodes
Copy link
Contributor Author

insert shruggie

@dhermes
Copy link
Contributor

dhermes commented Mar 23, 2017

The JWT profile / ID token spec and the JWT spec mention "skew" but they don't give specific values. For example:

The JWT MUST contain an "exp" (expiration time) claim that limits the time window during which the JWT can be used. The authorization server MUST reject any JWT with an expiration time that has passed, subject to allowable clock skew between systems. Note that the authorization server may reject JWTs with an "exp" claim value that is unreasonably far in the future.

@theacodes theacodes mentioned this issue Mar 23, 2017
Merged
@yoshi-automation yoshi-automation added 🚨 This issue needs some love. triage me I really want to be triaged. labels Apr 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@theacodes theacodes

Labels
🚨 This issue needs some love. triage me I really want to be triaged.
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
3 participants
@theacodes @dhermes @yoshi-automation