HelpWanted: handling clock skew for nbf, exp and iat

[soumiksamanta]

I have a k8s application where issuer pod creates JWT token and the client pod parses it for validity. In some situations, the time on the worker nodes are skewed by few seconds (~20sec). So if the issuer pod and the client pod runs on separate worker nodes, the validity of the JWT token fails (ValidationErrorIssuedAt).

// Validates time based claims "exp, iat, nbf".
// There is no accounting for clock skew.
// As well, if any of the above claims are not in the token, it will still
// be considered a valid claim.
func (c StandardClaims) Valid() error {
	vErr := new(ValidationError)
	now := TimeFunc().Unix()

	// The claims below are optional, by default, so if they are set to the
	// default value in Go, let's not fail the verification for them.
	if c.VerifyExpiresAt(now, false) == false {
		delta := time.Unix(now, 0).Sub(time.Unix(c.ExpiresAt, 0))
		vErr.Inner = fmt.Errorf("token is expired by %v", delta)
		vErr.Errors |= ValidationErrorExpired
	}

	if c.VerifyIssuedAt(now, false) == false {
		vErr.Inner = fmt.Errorf("Token used before issued")
		vErr.Errors |= ValidationErrorIssuedAt
	}

	if c.VerifyNotBefore(now, false) == false {
		vErr.Inner = fmt.Errorf("token is not valid yet")
		vErr.Errors |= ValidationErrorNotValidYet
	}

	if vErr.valid() {
		return nil
	}

	return vErr
}

Is there a override option to handle clock skew? The RFC specifies that the JWT implementation may handle clock skew for a few minutes https://datatracker.ietf.org/doc/html/rfc7519#page-10

[oxisto]

I have a k8s application where issuer pod creates JWT token and the client pod parses it for validity. In some situations, the time on the worker nodes are skewed by few seconds (~20sec). So if the issuer pod and the client pod runs on separate worker nodes, the validity of the JWT token fails (ValidationErrorIssuedAt).

// Validates time based claims "exp, iat, nbf".
// There is no accounting for clock skew.
// As well, if any of the above claims are not in the token, it will still
// be considered a valid claim.
func (c StandardClaims) Valid() error {
	vErr := new(ValidationError)
	now := TimeFunc().Unix()

	// The claims below are optional, by default, so if they are set to the
	// default value in Go, let's not fail the verification for them.
	if c.VerifyExpiresAt(now, false) == false {
		delta := time.Unix(now, 0).Sub(time.Unix(c.ExpiresAt, 0))
		vErr.Inner = fmt.Errorf("token is expired by %v", delta)
		vErr.Errors |= ValidationErrorExpired
	}

	if c.VerifyIssuedAt(now, false) == false {
		vErr.Inner = fmt.Errorf("Token used before issued")
		vErr.Errors |= ValidationErrorIssuedAt
	}

	if c.VerifyNotBefore(now, false) == false {
		vErr.Inner = fmt.Errorf("token is not valid yet")
		vErr.Errors |= ValidationErrorNotValidYet
	}

	if vErr.valid() {
		return nil
	}

	return vErr
}

Is there a override option to handle clock skew? The RFC specifies that the JWT implementation may handle clock skew for a few minutes https://datatracker.ietf.org/doc/html/rfc7519#page-10

Unfortunately, not (yet). I was planning on re-designing the validation functions in a future release, similar to what was proposed by the original author in the original (non-finished) v4 branch. I created an issue to track this here: #16. I did not have enough dedicated time to do so.

I would propose closing this issue as a duplicate, feel free to add any additional comments to #16

[oxisto]

What you can though in the mean time, you can override the jwt.TimeFunc, to adjust "now"

jwt/token.go

Line 13 in 4bbdd8a

var TimeFunc = time.Now

[soumiksamanta]

Thanks for the inputs. I would give this a try.

[oxisto]

Closed as duplicate of #16