Token used before issued #98
Comments
|
Thanks, I'll test with jwt.TimeFunc = func() time.Time {
return time.Now().UTC().Add(time.Second * 20)
}to see if it gets rid of these errors. |
|
Hey @JorritSalverda did that solve your issue? |
|
Hi @mfridman for some reason it didn't help and i resorted to jumping through a lot of hoops to ignore this type of validation error, see https://github.com/estafette/estafette-ci-api/blob/main/pkg/clients/bitbucketapi/client.go#L277-L309 Looking at my logs the now value is actually larger than iat, so have to figure out how to get the actual value for now used during evaluation. I think though it's probably only off by a couple of milliseconds so not sure why overriding the |
|
Thanks for the insight. I think introducing (configurable) leeway could help with these sorts of issues. Side note, every-time I see folks having to resort binary operators to determine the error it makes me cringe, because it's so prone to error. |
|
Is the error "token used before issued" really needed? RFC7519 says that:
RFC7519 also says that:
however, RFC7519 DOES NOT say that the "iat" (issued at) claim identifies the time before which the JWT MUST NOT be accepted for processing.
Some implementations of JWT have the |
Yup, it is not really necessary to enforce it according to the specification. That is why in the long run it would be good to implement #16. |
|
@JorritSalverda Could you have a look at #139 to see if that mitigates your problem? Once we have that merged in, it will also pave way to a backwards-compatible way of configuration the validation. This was sort of a chicken-egg problem and we choose to merge in the egg first. |
|
|
|
@oxisto : For v4, Do you think we can also add an option to enable the issued at validation (should be disabled by default) to #139 ? Something along the lines of: func (c *RegisteredClaims) VerifyIssuedAt(cmp time.Time, req bool, opts ...validationOption) bool {
validator := validator{}
for _, o := range opts {
o(&validator)
}
if validator.validateIAT {
if c.IssuedAt == nil {
return verifyIat(nil, cmp, req)
}
return verifyIat(&c.IssuedAt.Time, cmp, req)
}
return true
}I don't think I'd want a leeway option for Issued at. I'd just want to turn it off. func (c *RegisteredClaims) VerifyIssuedAt(cmp time.Time, req bool, opts ...validationOption) bool {
validator := validator{}
for _, o := range opts {
o(&validator)
}
if validator.validateIAT {
if c.IssuedAt == nil {
return verifyIat(nil, cmp, req, validator.leeway)
}
return verifyIat(&c.IssuedAt.Time, cmp, req, validator.leeway)
}
return true
} |
We are still waiting for some minor last fixes in that PR. Once this PR is merged in, we would welcome any additional PRs on this validation topic. |
golang-jwt library is trying to validate iat claim of the ID token and due to not accounting for clock skew, validation pretty randomly fails. There is an open issue golang-jwt/jwt#98 and seems like that is fixed in v4. However it is still unclear why iat is validation in the first place, that's not required by RFC and doesn't seem like the right thing to do. Only nbf and exp claims should be used for token lifetime validity check. Also, update README to show how to configure OpenID providers.
golang-jwt library is trying to validate iat claim of the ID token and due to not accounting for clock skew, validation pretty randomly fails. There is an open issue golang-jwt/jwt#98 and seems like that is fixed in v4. However it is still unclear why iat is validation in the first place, that's not required by RFC and doesn't seem like the right thing to do. Only nbf and exp claims should be used for token lifetime validity check. Also, update README to show how to configure OpenID providers.
|
I landed here after getting "token used before issued" from this library when consuming the OIDC token from GitHub Actions. I'm not sure what kind of skew there may be, but the receiving machine has a correct date/time AFAIK. What's the best workaround for this? |
golang-jwt library is trying to validate iat claim of the ID token and due to not accounting for clock skew, validation pretty randomly fails. There is an open issue golang-jwt/jwt#98 and seems like that is fixed in v4. However it is still unclear why iat is validation in the first place, that's not required by RFC and doesn't seem like the right thing to do. Only nbf and exp claims should be used for token lifetime validity check. Also, update README to show how to configure OpenID providers.
|
@alexellis I ran in to this problem earlier this week and solved it by making a custom Claims type like this: type Claims struct {
ValidFunc func() error
jwt.StandardClaims
}
func (c Claims) Valid() error {
if c.ValidFunc == nil {
return c.StandardClaims.Valid()
}
return c.ValidFunc()
}
func main() {
claims := Claims{}
claims.ValidFunc = func() error {
claims.IssuedAt = 0
return claims.StandardClaims.Valid()
}
jwt.ParseWithClaims(tokenString, &claims, keyFunc)
}The reason this works is that Lines 122 to 127 in 2ebb50f |
While this works, I personally would not recommend that as this is going a route that will probably be changed in the upcoming |
|
Fixed by #234 |
Having switched from
github.com/dgrijalva/jwt-gotogithub.1485827954.workers.dev/golang-jwt/jwt/v4I still gettoken used before issuederrors due to clock skew, even though @dgrijalva said this check would be removed from v4, in line with jwt spec. Seejwt/claims.go
Lines 63 to 66 in 3f50a78
However I see that check is still executed at dgrijalva/jwt-go#314 (comment). Is this dependent on #16 getting resolved? Until that's resolved can the
VerifyIssuedAtcheck just be dropped? Or any other suggested workarounds?The text was updated successfully, but these errors were encountered: