Skip to content
This repository has been archived by the owner on May 21, 2022. It is now read-only.

"Token used before issued" #383

Open
sanderdekoning opened this issue Feb 29, 2020 · 8 comments
Open

"Token used before issued" #383

sanderdekoning opened this issue Feb 29, 2020 · 8 comments

Comments

@sanderdekoning
Copy link

sanderdekoning commented Feb 29, 2020
edited
Loading

When running Go program on my mac, I am receiving the following error when parsing a JWT:
"Token used before issued".

However, when I am running on a remote server it is working fine. What causes this issue and how can I resolve it?

EDIT: strangely, a reboot of my macbook resolved the issue. It had never occurred before. Any idea what might have caused this issue? I tried changing my Mac system timezone to UTC but it didn't resolve it either.
@intolerance
Copy link

This module does not support clock tolerance.

jwt-go/claims.go

Line 29 in dc14462

// There is no accounting for clock skew.

@sanderdekoning
Copy link
Author

Thanks! I had read that too, although I am not sure what it refers to nor how it could potentially be resolved or as stated accounted for. Do you have a suggestion?

@intolerance
Copy link

Basically, clock skew refers to the difference between two system clocks that are not in sync. For example, server A's clock may be 1 minute behind server B's clock.

As an example, A JWT issuing service may set the iat or nbf claims using its systems clock. When a service tries to validate the JWT it compares the iat or nbf claim to its own system time. When this check fails you get an error, i.e. Token used before issued.

To combat this issue some libraries, such as Auth0's node-jsonwebtoken, allow you to provide a clockTolerance parameter while validating a JWT. Using this type of feature you can validate a JWT while providing some leeway when comparing the time sensitive claims.

In order to resolve the issue, you can try to sync the two systems times, however I've read that this issue can still occur even when they are synced. In some cases, syncing the two system times is impossible as the signer may be a 3rd party. Ultimately though, it is up to us to try to add support for a clockTolerance type of option in to our validation libraries.

@sanderdekoning
Copy link
Author

All right, I understand now, thank you for clarifying, I appreciate your time and effort

@zhanghzong
Copy link

The issuing time cannot be greater than the current system time

@mitar
Copy link

mitar commented Jan 21, 2021

So could this library get clockTolerance option?

@cedricve
Copy link

encountered this one as well. should be cool if you could ignore the nbf claim.

@turkenh turkenh mentioned this issue May 17, 2021
Merged
1 task
@dkhachyan dkhachyan mentioned this issue Aug 31, 2021
Closed
@heidemn-faro
Copy link

cool if you could ignore the nbf claim.

Introducing a maxClockSkew or clockTolerance parameter would be better.
Other JWT libraries have that (e.g. https://github.com/firebase/php-jwt -> JWT::$leeway)

@j-kato732 j-kato732 mentioned this issue Dec 1, 2021
Open
@j-kato732 j-kato732 mentioned this issue Jan 18, 2022
Open
@cceslick cceslick mentioned this issue Jan 21, 2022
Closed
@jFujiya jFujiya mentioned this issue Jun 19, 2024
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mitar @cedricve @zhanghzong @intolerance @sanderdekoning @heidemn-faro