feat(kas): add configurable SRT skew tolerance and diagnostics [backport to release/service/v0.11]

docs/Configuring.md

@@ -240,6 +240,16 @@ For OTLP provider:
 - `trace.provider.otlp.insecure`: Whether to use an insecure connection
 - `trace.provider.otlp.headers`: Headers to include in OTLP requests
 
+## Security Configuration
+
+Root level key `security`
+
+| Field                       | Description                                                                                     | Default |
+|-----------------------------|-------------------------------------------------------------------------------------------------|---------|
+| `unsafe.clock_skew`         | Platform-wide maximum tolerated clock skew for token verification (Go duration, use cautiously) | `1m`    |
+
+> **Warning:** Increasing `unsafe.clock_skew` weakens token freshness guarantees. Only raise this value temporarily while you correct clock drift.
+
 ## Services Configuration
 
 Root level key `services`
@@ -262,6 +272,11 @@ Environment Variable: `OPENTDF_SERVICES_KAS_KEYRING='[{"kid":"k1","alg":"rsa:204
 Example:
 
 ```yaml
+security:
+  unsafe:
+    # Increase only when diagnosing clock drift issues
+    # clock_skew: 90s
+
 services:
   kas:
     keyring:

opentdf-kas-mode.yaml

@@ -11,6 +11,10 @@ logger:
   level: debug
   type: text
   output: stdout
+security:
+  unsafe:
+    # Increase only when diagnosing clock drift issues; default is 1m
+    # clock_skew: 90s
 services:
   kas:
     registered_kas_uri: http://localhost:8080 # Should match what you have registered for *this* KAS in the policy db.

service/kas/access/provider.go

@@ -2,6 +2,7 @@ package access
 
 import (
 	"context"
+	"log/slog"
 	"net/url"
 	"time"
 
@@ -29,6 +30,7 @@ type Provider struct {
 	Logger         *logger.Logger
 	Config         *config.ServiceConfig
 	KASConfig
+	securityConfig *config.SecurityConfig
 	trace.Tracer
 }
 
@@ -73,6 +75,36 @@ func (p *Provider) IsReady(ctx context.Context) error {
 	return nil
 }
 
+// ApplyConfig stores the latest KAS configuration, tracks the associated security
+// overrides, and emits a warning when the configured clock skew exceeds the default.
+func (p *Provider) ApplyConfig(cfg KASConfig, securityCfg *config.SecurityConfig) {
+	p.KASConfig = cfg
+	p.securityConfig = securityCfg
+
+	if p.Logger != nil {
+		if skew := p.acceptableSkew(); skew > config.DefaultUnsafeClockSkew {
+			p.Logger.Warn("configured SRT acceptable skew exceeds default",
+				slog.Duration("configured_skew", skew),
+				slog.Duration("default_skew", config.DefaultUnsafeClockSkew),
+			)
+		}
+	}
+}
+
+// SecurityConfig exposes the most recent security configuration captured via ApplyConfig.
+func (p *Provider) SecurityConfig() *config.SecurityConfig {
+	return p.securityConfig
+}
+
+// acceptableSkew returns the tolerated clock skew for SRT validation, falling back to the
+// global unsafe default when no override is present.
+func (p *Provider) acceptableSkew() time.Duration {
+	if p.securityConfig == nil {
+		return config.DefaultUnsafeClockSkew
+	}
+	return p.securityConfig.ClockSkew()
+}
+
 func (kasCfg *KASConfig) UpgradeMapToKeyring(c *security.StandardCrypto) {
 	switch {
 	case kasCfg.ECCertID != "" && len(kasCfg.Keyring) > 0: