Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT: 'Expiration time' claim ('exp') is too far in the future #942

Closed
mfix22 opened this issue Jun 11, 2019 · 23 comments · Fixed by #944

Comments

@mfix22
Copy link
Contributor

commented Jun 11, 2019

Bug Report

Current Behavior
This error began when I upgraded to v9 from v7

When running probot run index.js I get the following error:

ERROR probot: 'Expiration time' claim ('exp') is too far in the future

I am not creating any tokens manually, this just occurs when the bot tries to authenticate in order to make the first request.

Expected behavior/code
Authentication with the GitHub API on probot@^9 should create valid API tokens

Environment

  • Probot version(s): 9.2.13
  • Node/npm version: Node v10.16.0
  • OS: OSX 10.14.5

Possible Solution

@issue-label-bot

This comment has been minimized.

Copy link

commented Jun 11, 2019

Issue-Label Bot is automatically applying the label bug 🐞 to this issue, with a confidence of 0.91. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

@welcome

This comment has been minimized.

Copy link

commented Jun 11, 2019

Thanks for opening this issue. A contributor should be by to give feedback soon. In the meantime, please check out the contributing guidelines and explore other ways you can get involved.

@issue-label-bot issue-label-bot bot added the bug 🐞 label Jun 11, 2019

@warrenbuckley

This comment has been minimized.

Copy link

commented Jun 12, 2019

I originally reported this problem in this issue #941 and was talking with @gr2m about this, but my original problem was a stupidity from myself, however I am still running into the JWT expiration claim being too far in the future too.

I am also getting the same error/problem as @mfix22

My ProBot was also updated from v7 to v9 as the TypeScript scaffold/template still uses V7 & not the latest & greatest, so I am wondering if its related if you do an upgrade perhaps?!

I have got VSCode and the debugger attached to report to me more details about the error and it's making a request to https://api.github.com/app/installations?per_page=100

The request ID in the GitHub header response is as follows, which may help to figure out what went on @gr2m

x-github-request-id: D992:43038:7CA74E:9AE876:5D00DD71

image

@warrenbuckley

This comment has been minimized.

Copy link

commented Jun 12, 2019

For further notes/feedback

  • Updated from 9.2.13 to 9.2.14
  • Removed entire node_modules folder & done a new npm install in case had any hard fixed dependencies laying around - still no luck :(
  • Fresh checkout of repo - so no local .env file setup with AppID or PGP Key contents
  • Created a new GitHub app & still get same error on first boot once the /setup url has been called & generated the .env file

Hopefully this can be fixed soon @gr2m or @JasonEtco pretty please :)

@warrenbuckley

This comment has been minimized.

Copy link

commented Jun 12, 2019

OK for the request made to https://api.github.com/app/installations?per_page=100
I have the following sent as a JWT token as the payload (decoded via jwt.io)

Header

{
  "alg": "RS256",
  "typ": "JWT"
}

Payload

{
  "iat": 1560344073,
  "exp": 1560344673,
  "iss": "32862"
}

Issuer iss matches my GitHub Application ID of 32862 (Latest generated app for testing)
Issued At iat stores seconds since EPOCH so is

GMT: Wednesday, 12 June 2019 12:54:33
Your time zone: Wednesday, 12 June 2019 13:54:33 GMT+01:00 DST
Relative: 13 minutes ago

Expiry exp converts to

GMT: Wednesday, 12 June 2019 13:04:33
Your time zone: Wednesday, 12 June 2019 14:04:33 GMT+01:00 DST
Relative: 5 minutes ago

Related Request ID

x-github-request-id:"F299:3F4D6:14413C3:197E436:5D00F608"

So the JWT token has an exact expiry of in 10 minutes time, so I am not sure why this fails auth. Are JWT tokens supposed to have a smaller window when authenticating with the GitHub API?

As the docs here say it's a valid JWT token as long its no longer than 10minutes
https://developer.github.com/apps/building-github-apps/authenticating-with-github-apps/#authenticating-as-a-github-app

Any thoughts Probot team?

GitHub Developer
Get started with one of our guides, or jump straight into the API documentation.
@mfix22

This comment has been minimized.

Copy link
Contributor Author

commented Jun 12, 2019

I tried changing this line: https://github.com/octokit/app.js/blob/master/src/get-signed-json-web-token.ts#L12
to be 9 minutes instead of 10, and it started working. This seems like it is a more complicated issue than just changing the expiry, but I hope this gives you some insight.

GitHub
GitHub Apps toolset for Node.js. Contribute to octokit/app.js development by creating an account on GitHub.
@gr2m

This comment has been minimized.

Copy link
Contributor

commented Jun 12, 2019

9 seconds instead of 10

you mean 9 minutes instead of 10?

I think it might be a good idea to not max out the expiration, maybe we could reduce it to 9minutes and 59seconds, that should work with rounding errors as described at https://github.community/t5/GitHub-API-Development-and/quot-Expiration-time-claim-exp-is-too-far-in-the-future-quot/m-p/20457/highlight/true#M1127

@mfix22 could you try that?

- exp: now + 60 * 10, // JWT expiration time (10 minute maximum)
+ exp: now + 60 * 10 -1, // JWT expiration time (10 minute maximum - 1s to account for rounding errors)  
Okay so the documentation isn't very clear, but maybe this section on authenticating with JWT is implying that the 'exp' can be at most 10 minutes later than the 'iat'?   If this is the case, then I think that 1. The documentation needs to be more clear that 10 minutes is the maximum time hardcoded ...
@mfix22

This comment has been minimized.

Copy link
Contributor Author

commented Jun 12, 2019

Excuse me, yes I meant "minutes". 60 * 10 -1 didn't work, and neither did 60 * 10 - 20.
60 * 10 - 30 worked however.

@gr2m gr2m changed the title JWT Error when running probot locally on version 9 JWT: 'Expiration time' claim ('exp') is too far in the future Jun 12, 2019

@warrenbuckley

This comment has been minimized.

Copy link

commented Jun 12, 2019

But @gr2m my thought is that this has worked up until recently as surely more people would be reporting this error, has something changed at the API end for JWT authorisation?

Also I will try with a V7 version of ProBot to see if that has a problem or not & what JWT is getting created there for comparison & if it works play spot the difference (But it will be tomorrow UK time)

@gr2m

This comment has been minimized.

Copy link
Contributor

commented Jun 12, 2019

@warrenbuckley I agree. I for one do not see that error with the WIP app, even when running it locally. Can you confirm that if we reduce the expiration time by 30 seconds you no longer see the error (but still do if we only reduce by one or 10 seconds)?

Can either of you provide a minimal test case? We use https://github.com/octokit/app.js internally, maybe a minimal test case to reproduce the problem could only use that?

GitHub
GitHub Apps toolset for Node.js. Contribute to octokit/app.js development by creating an account on GitHub.
@gr2m

This comment has been minimized.

Copy link
Contributor

commented Jun 12, 2019

This is how JWT was calculated before:
https://github.com/probot/probot/blob/91cf5b0d367c56cc31e548425c025373f5f19b49/src/github-app.ts

As far as I can tell it's exactly the same as it works right now 🤷‍♂
https://github.com/octokit/app.js/blob/60ca3d97401e728790da68a0e13a1b2bbd1fc05e/src/get-signed-json-web-token.ts

GitHub
🤖 A framework for building GitHub Apps to automate and improve your workflow - probot/probot
GitHub
GitHub Apps toolset for Node.js. Contribute to octokit/app.js development by creating an account on GitHub.
@warrenbuckley

This comment has been minimized.

Copy link

commented Jun 12, 2019

Hmm sounds like a game of spot the difference is in order then @gr2m

It's not quite the same though

Previous

 exp: Math.floor(Date.now() / 1000) + 60,  // JWT expiration time

Current

const now = Math.floor(Date.now() / 1000);
exp: now + 60 * 10, // JWT expiration time (10 minute maximum)

So previous one just added on 60 seconds from current issued time and the current one adds on 10 minutes from current time.

@gr2m

This comment has been minimized.

Copy link
Contributor

commented Jun 12, 2019

Ahhh great spotting! I remember now that we recently fixed that in @octokit/app:
https://github.com/octokit/app.js/pull/33/files

I’d still like to have a minimal reproducible test case, it will help the fine GitHub API folks to investigate the problem faster.

For the time being we can lower the time out in @octokit/app. Anyone of you want to send a pull request?

GitHub
Fix JWT expiration
@mfix22

This comment has been minimized.

Copy link
Contributor Author

commented Jun 12, 2019

I can take care of that @gr2m 👍

Also let me know if you want to lower it by more than 30 seconds. It worked for me at 30, but if the value isn't too important, it might be worth lowering more.

@mfix22 mfix22 referenced this issue Jun 12, 2019
@gr2m

This comment has been minimized.

Copy link
Contributor

commented Jun 12, 2019

I think 30s is okay for now. I hope that this problem gets resolved on GitHub’s side soon. I just need a reproducible test case. I was not able to reproduce the error myself yet :(

@warrenbuckley

This comment has been minimized.

Copy link

commented Jun 12, 2019

I need to get off my phone for tonight. Will check in the morning how it’s going. Keep me posted 😄

gr2m added a commit to octokit/app.js that referenced this issue Jun 12, 2019

@gr2m gr2m closed this in #944 Jun 12, 2019

@probotbot

This comment has been minimized.

Copy link
Collaborator

commented Jun 12, 2019

🎉 This issue has been resolved in version 9.2.15 🎉

The release is available on:

Your semantic-release bot 📦🚀

@probotbot probotbot added the released label Jun 12, 2019

@warrenbuckley

This comment has been minimized.

Copy link

commented Jun 13, 2019

Ace to see a new release this morning, so will try that out later today after some meetings.
@gr2m do you still need a repro case to give to the GitHub API team?

@gr2m

This comment has been minimized.

Copy link
Contributor

commented Jun 13, 2019

@gr2m do you still need a repro case to give to the GitHub API team?

yes, that would be very helpful

@warrenbuckley

This comment has been minimized.

Copy link

commented Jun 13, 2019

@gr2m I am struggling to reliably reproduce this, do you have any luck for a simple repro test case @mfix22 ?

I can confirm that upgrading to 9.2.14 fixes the problem in my project I was having 😍

@mfix22

This comment has been minimized.

Copy link
Contributor Author

commented Jun 13, 2019

I'll try and put one together, but it will have to be later this week/weekend!

@gr2m

This comment has been minimized.

Copy link
Contributor

commented Jun 13, 2019

no rush! It looks like someone else run into the same problem: octokit/rest.js#1399

I feel like something changed on GitHub’s site

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.