Skip to content
This repository has been archived by the owner on Jul 6, 2023. It is now read-only.

client: disable issued at time claim in jwt #1223

Merged
merged 3 commits into from Jul 5, 2018
Merged

client: disable issued at time claim in jwt #1223

merged 3 commits into from Jul 5, 2018

Conversation

raghavendra-talur
Copy link
Member

From dgrijalva/jwt-go#139 it is understood
that if the machine where jwt token is generated and/or the machine
where jwt token is verified have any clock skew then there is a
possibility of getting a "Token used before issued" error. Considering
that we also check for expiration with delta of 5 minutes, disabling
iat claim until the patch is merged in jwt.

Signed-off-by: Raghavendra Talur rtalur@redhat.com

What does this PR achieve? Why do we need it?

This PR disables the issued at time claim in jwt. Doing so will stop "token used before issued" errors.

Does this PR fix issues?

Fixes #646

Notes for the reviewer

@raghavendra-talur raghavendra-talur mentioned this pull request Jun 14, 2018
Closed
@phlogistonjohn
Copy link
Contributor

Looks like the server may need a corresponding change. (Some of) the tests are failing due to the iat claim being missing. Perhaps we should make this configurable for backwards compatibility reasons?

@raghavendra-talur
jwt: disable iat claim in jwt
9d3b86c 
From dgrijalva/jwt-go#139 it is understood
that if the machine where jwt token is generated and/or the machine
where jwt token is verified have any clock skew then there is a
possibility of getting a "Token used before issued" error.  Considering
that we also check for expiration with delta of 5 minutes, disabling iat
claim until the patch is merged in jwt.

Signed-off-by: Raghavendra Talur <rtalur@redhat.com>
@phlogistonjohn
Copy link
Contributor

retest this please

obnoxxx
obnoxxx approved these changes Jul 5, 2018
View reviewed changes
Copy link
Contributor

@obnoxxx obnoxxx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

This now only changes the server. So we should be good.

@obnoxxx obnoxxx merged commit c3d8eab into heketi:master Jul 5, 2018
@raghavendra-talur raghavendra-talur deleted the fix-jwt-issue branch July 11, 2018 17:04
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@obnoxxx obnoxxx obnoxxx approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Authentication failing with "Token used before issued"
3 participants
@raghavendra-talur @phlogistonjohn @obnoxxx