feature request: make clockTolerance configurable

[Yousefjb]

What problem did you meet?

Very often our users clock is not synced with NTP server or the day when DTS changes the time difference between logto and client can be +1 hr so we thought we could set clockTolerance option to something suits us better than the default 15 seconds

Describe what you'd like Logto to have

env variable that changes the default clockTolerance of node-oidc-provider

[xiaoyijun]

Hi @Yousefjb , thanks for your feedback.

The user’s clock may indeed not be synchronized with the server. However, if you are validating the JWT token (such as the ID Token) on the client side, you can improve fault tolerance by adjusting the clockTolerance used during client-side validation. See logto-io/js#736

But this might not be effective for requests sent to node-oidc-provider (such as fetchUserInfo) and might require additional support from Logto.

Would adjusting the clockTolerance for client-side validation help you? Alternatively, could you provide more context based on the actual issues you are facing? This would help us make a better decision on whether to enable the relevant configurations in node-oidc-provider.

[Yousefjb]

Yes I think client side validation would work for us as communicating with Logto API is done via our APIs. However we are using @logto/browser package and it need to expose the new clockTolerance added to the @logto/client package.
That would solve our problem

[xiaoyijun]

You can customize the jwt verifier by doing so:

const logtoClient = new LogtoClient(/* ... */);
logtoClient.setJwtVerifier({
  verifyIdToken() {},
});

The clockTolerance and other verification logic can be fully customize inside your verifyIdToken method.