-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Configured leeway to JWT time validation claims in case of a clock skew #1741
Conversation
@letzya since your JWT disable validation fields not released yet, and do the similar thing but worse, what do you think about removing them at all? |
@buger It potentially could be useful for troubleshooting (when you can't change your jwt). |
b178227
to
b2f1d29
Compare
Yes, but your options replace mine. If you set very high clock skew it is same as disabling validation. |
Ok, will remove it. |
@buger Removed. |
990414e
to
957b437
Compare
@buger Important PR for a client. |
7fb1354
to
bed53e8
Compare
@buger please review. thanks |
Looks good 👍 Will go to 2.7.2 |
…k skew (#1741) [This fix ](abb1b35 )helps to avoid jwt failure but can risk us since it won't validate the time-related claims at all (using disable config fields in api def). I have added a field that gives leeway ,in seconds, in case there is a clock skew times between the signing server (Idp for instance) and the verifying server, i.e. Tyk. Have added tests for both type of fields - disable time claims validation and added leeway to time claims validation.
…k skew (#1741) [This fix ](abb1b35 )helps to avoid jwt failure but can risk us since it won't validate the time-related claims at all (using disable config fields in api def). I have added a field that gives leeway ,in seconds, in case there is a clock skew times between the signing server (Idp for instance) and the verifying server, i.e. Tyk. Have added tests for both type of fields - disable time claims validation and added leeway to time claims validation.
This fix helps to avoid jwt failure but can risk us since it won't validate the time-related claims at all (using disable config fields in api def).
I have added a field that gives leeway ,in seconds, in case there is a clock skew times between the signing server (Idp for instance) and the verifying server, i.e. Tyk.
Have added tests for both type of fields - disable time claims validation and added leeway to time claims validation.