[BUG]: "validateIdTokenExpNotExpired" is not working fine when users time is not synced by their time zone and there is no way to disable validate IdTokenExpiry .

[abdullahqudeer]

I am using your library on an application with lot of users, one of the issues that are causing me a lot of pain, is the fact that many users have clock issues where their time is not synced by their time zone . When that happens they can't login successfully.

Do you have any recommendation as to how I can totally eliminate this issue?

Below screenshot will help you to understand the issue.

[damienbod]

You can disable this check using the configuration, or increase the window. This is how the OIDC spec is defined.

[abdullahqudeer]

@damienbod : Can you please let me know which configuration you referring..? Also I am unable to understand what do you mean to increase the window....?
Below is my configuration . Thanks .

[damienbod]

@abdullahqudeer your configuration looks good. You have set a 3 min window and disabled this. This should be good. I will check this, thanks for reporting. Maybe as a workaround, you could set the allowed time in secs to 3 hrs .

Greetings Damien

[abdullahqudeer]

@damienbod : any update about this issue ?

[damienbod]

@abdullahqudeer I will validate that disabling the offset check works in V12 so that users with incorrect times can still authenticate. V12 should be released in the next few weeks.

Greetings Damien

[hugomartinshm]

Hello @damienbod,

I have exactly the same issue, my application is used by some users whose clock is in advance compared to the identity server time (for instance +10 minutes on client time when the idToken validity is 5 minutes) so the idToken sent by the identity server is immediately expired on the client, and they cannot log in.
(I'm currently using V12 of angular-auth-oidc-client)

To simulate the issue I have set my local clock to +2 hours with a idToken validity of 1 hour.

I have tried to set a big value for the maxIdTokenIatOffsetAllowedInSeconds in config but doesn't solve the issue.

Indeed, this parameter seems to concern only a first check of the offset.

Example => I have set maxIdTokenIatOffsetAllowedInSeconds to 43200 and works fine.

I have noted that this first check of the offset is optional and can be removed with the parameter disableIatOffsetValidation in config.

The problem is on the second verification, the one directly on idToken expiration time, which is based on the local clock, and causes my issue.

Is there a parameter in config that would allow to have a certain offset in this second verification ?

Thanks in advance !

[damienbod]

Hi @hugomartinshm thanks for this. I will validate this, the disableIatOffsetValidation should disable this check

[hugomartinshm]

Hello @damienbod, thanks for your answer.

The disableOffsetValidation is working fine for me as it removes initial check on the offset.

The issue in on the id token validation that occurs every n seconds and that uses the local machine time. Does disableOffsetValidation also concerns this periodic check on id token ?

[L1nkss]

Greetings @damienbod
Do you have any updates about that bug?
In our project we have the similar problem as @hugomartinshm has.
I've disabled disableIatOffsetValidation ,but I still have an infinite redirect because of id token validation.

[mtinnes]

I've been seeing the same issue using version 14.0.2. I have to set maxIdTokenIatOffsetAllowedInSeconds to a negative number, something like -600 in order to prevent infinite looping. Clock is sync'd on both local PC and server. I've tried configuring disableRefreshIdTokenAuthTimeValidation: true, and enableIdTokenExpiredValidationInRenew: false.

[abdullahqudeer]

Greetings @damienbod
Do you have any updates about this?

[FabianGosebrink]

Is this issue still relevant?