-
Notifications
You must be signed in to change notification settings - Fork 433
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG]: "validateIdTokenExpNotExpired" is not working fine when users time is not synced by their time zone and there is no way to disable validate IdTokenExpiry . #1027
Comments
You can disable this check using the configuration, or increase the window. This is how the OIDC spec is defined. |
@damienbod : Can you please let me know which configuration you referring..? Also I am unable to understand what do you mean to increase the window....? |
@abdullahqudeer your configuration looks good. You have set a 3 min window and disabled this. This should be good. I will check this, thanks for reporting. Maybe as a workaround, you could set the allowed time in secs to 3 hrs . Greetings Damien |
@damienbod : any update about this issue ? |
@abdullahqudeer I will validate that disabling the offset check works in V12 so that users with incorrect times can still authenticate. V12 should be released in the next few weeks. Greetings Damien |
Hello @damienbod, I have exactly the same issue, my application is used by some users whose clock is in advance compared to the identity server time (for instance +10 minutes on client time when the idToken validity is 5 minutes) so the idToken sent by the identity server is immediately expired on the client, and they cannot log in. To simulate the issue I have set my local clock to +2 hours with a idToken validity of 1 hour. I have tried to set a big value for the maxIdTokenIatOffsetAllowedInSeconds in config but doesn't solve the issue. Indeed, this parameter seems to concern only a first check of the offset. Example => I have set maxIdTokenIatOffsetAllowedInSeconds to 43200 and works fine. I have noted that this first check of the offset is optional and can be removed with the parameter disableIatOffsetValidation in config. The problem is on the second verification, the one directly on idToken expiration time, which is based on the local clock, and causes my issue. Is there a parameter in config that would allow to have a certain offset in this second verification ? Thanks in advance ! |
Hi @hugomartinshm thanks for this. I will validate this, the disableIatOffsetValidation should disable this check |
Hello @damienbod, thanks for your answer. The disableOffsetValidation is working fine for me as it removes initial check on the offset. The issue in on the id token validation that occurs every n seconds and that uses the local machine time. Does disableOffsetValidation also concerns this periodic check on id token ? |
Greetings @damienbod |
I've been seeing the same issue using version 14.0.2. I have to set maxIdTokenIatOffsetAllowedInSeconds to a negative number, something like -600 in order to prevent infinite looping. Clock is sync'd on both local PC and server. I've tried configuring disableRefreshIdTokenAuthTimeValidation: true, and enableIdTokenExpiredValidationInRenew: false. |
Greetings @damienbod |
Is this issue still relevant? |
I am using your library on an application with lot of users, one of the issues that are causing me a lot of pain, is the fact that many users have clock issues where their time is not synced by their time zone . When that happens they can't login successfully.
Do you have any recommendation as to how I can totally eliminate this issue?
Below screenshot will help you to understand the issue.
The text was updated successfully, but these errors were encountered: