Add Configured leeway to JWT time validation claims in case of a clock skew #1741
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
letzya
changed the title
|
@letzya since your JWT disable validation fields not released yet, and do the similar thing but worse, what do you think about removing them at all? |
|
@buger It potentially could be useful for troubleshooting (when you can't change your jwt). |
letzya
force-pushed
the
configured_clock_skew
branch
from
b178227
to
b2f1d29
Compare
|
Yes, but your options replace mine. If you set very high clock skew it is same as disabling validation. |
|
Ok, will remove it. |
|
@buger Removed. |
letzya
force-pushed
the
configured_clock_skew
branch
from
990414e
to
957b437
Compare
|
@buger Important PR for a client. |
letzya
force-pushed
the
configured_clock_skew
branch
from
7fb1354
to
bed53e8
Compare
|
@buger please review. thanks |
|
Looks good 👍 Will go to 2.7.2 |
buger
pushed a commit
that referenced
this pull request
Aug 16, 2018
…k skew (#1741) [This fix ](abb1b35 )helps to avoid jwt failure but can risk us since it won't validate the time-related claims at all (using disable config fields in api def). I have added a field that gives leeway ,in seconds, in case there is a clock skew times between the signing server (Idp for instance) and the verifying server, i.e. Tyk. Have added tests for both type of fields - disable time claims validation and added leeway to time claims validation.
buger
pushed a commit
that referenced
this pull request
Sep 25, 2018
…k skew (#1741) [This fix ](abb1b35 )helps to avoid jwt failure but can risk us since it won't validate the time-related claims at all (using disable config fields in api def). I have added a field that gives leeway ,in seconds, in case there is a clock skew times between the signing server (Idp for instance) and the verifying server, i.e. Tyk. Have added tests for both type of fields - disable time claims validation and added leeway to time claims validation.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fix helps to avoid jwt failure but can risk us since it won't validate the time-related claims at all (using disable config fields in api def).
I have added a field that gives leeway ,in seconds, in case there is a clock skew times between the signing server (Idp for instance) and the verifying server, i.e. Tyk.
Have added tests for both type of fields - disable time claims validation and added leeway to time claims validation.