This repository was archived by the owner on Jul 16, 2025. It is now read-only.
Add 1 minute clock skew when verifying time constraint#57
Merged
qiwzhang merged 1 commit intogoogle:masterfrom Nov 3, 2020
Merged
Add 1 minute clock skew when verifying time constraint#57qiwzhang merged 1 commit intogoogle:masterfrom
qiwzhang merged 1 commit intogoogle:masterfrom
Conversation
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
qiwzhang
requested review from
a team and
nareddyt
and removed request for
a team
nareddyt
approved these changes
Nov 3, 2020
|
@qiwzhang should we make this configurable? I'm not sure 1 minute is good for all cases, sometime we have short-lived JWT token that expires in ~5 minutes (or even shorter), and 1 minute skew means at least 20% difference. |
Contributor
Author
|
Well grpc is hardcoded to 1 minute jwt_validator I think we should be fine. |
lizan
pushed a commit
to envoyproxy/envoy
that referenced
this pull request
Nov 16, 2020
When verifying Jwt clock constraint, it is recommend to use some clock skew. grpc is using 1 minute clock [skew](https://github.com/grpc/grpc/blob/4645da201ae2c7d0b15fe56d86b41354fa4af0ca/src/core/lib/security/credentials/jwt/jwt_verifier.cc#L388-L389). [jwt_verify_lib](google/jwt_verify_lib#57) has been updated to add 1 minute clock skew. In the old code, time constraint verification is done in jwt_authn filter, and jwt_verify_lib::verifyJwt() is doing time constraint verification again. Change jwt_verify_lib to split the time constraint verification to Jwt class so it can be called separately. And call verify() without the time checking. Risk Level: None Testing: unit-test is done in jwt_verify_lib repo Docs Changes: None Release Notes: Added Signed-off-by: Wayne Zhang <qiwzhang@google.com>
lizan
pushed a commit
to envoyproxy/data-plane-api
that referenced
this pull request
Nov 16, 2020
When verifying Jwt clock constraint, it is recommend to use some clock skew. grpc is using 1 minute clock [skew](https://github.com/grpc/grpc/blob/4645da201ae2c7d0b15fe56d86b41354fa4af0ca/src/core/lib/security/credentials/jwt/jwt_verifier.cc#L388-L389). [jwt_verify_lib](google/jwt_verify_lib#57) has been updated to add 1 minute clock skew. In the old code, time constraint verification is done in jwt_authn filter, and jwt_verify_lib::verifyJwt() is doing time constraint verification again. Change jwt_verify_lib to split the time constraint verification to Jwt class so it can be called separately. And call verify() without the time checking. Risk Level: None Testing: unit-test is done in jwt_verify_lib repo Docs Changes: None Release Notes: Added Signed-off-by: Wayne Zhang <qiwzhang@google.com> Mirrored from https://github.com/envoyproxy/envoy @ cd684e76bda80e140ab90573815f1990ec6f2a6f
andreyprezotto
pushed a commit
to andreyprezotto/envoy
that referenced
this pull request
Nov 24, 2020
…oxy#13872) When verifying Jwt clock constraint, it is recommend to use some clock skew. grpc is using 1 minute clock [skew](https://github.com/grpc/grpc/blob/4645da201ae2c7d0b15fe56d86b41354fa4af0ca/src/core/lib/security/credentials/jwt/jwt_verifier.cc#L388-L389). [jwt_verify_lib](google/jwt_verify_lib#57) has been updated to add 1 minute clock skew. In the old code, time constraint verification is done in jwt_authn filter, and jwt_verify_lib::verifyJwt() is doing time constraint verification again. Change jwt_verify_lib to split the time constraint verification to Jwt class so it can be called separately. And call verify() without the time checking. Risk Level: None Testing: unit-test is done in jwt_verify_lib repo Docs Changes: None Release Notes: Added Signed-off-by: Wayne Zhang <qiwzhang@google.com>
qqustc
pushed a commit
to qqustc/envoy
that referenced
this pull request
Nov 24, 2020
…oxy#13872) When verifying Jwt clock constraint, it is recommend to use some clock skew. grpc is using 1 minute clock [skew](https://github.com/grpc/grpc/blob/4645da201ae2c7d0b15fe56d86b41354fa4af0ca/src/core/lib/security/credentials/jwt/jwt_verifier.cc#L388-L389). [jwt_verify_lib](google/jwt_verify_lib#57) has been updated to add 1 minute clock skew. In the old code, time constraint verification is done in jwt_authn filter, and jwt_verify_lib::verifyJwt() is doing time constraint verification again. Change jwt_verify_lib to split the time constraint verification to Jwt class so it can be called separately. And call verify() without the time checking. Risk Level: None Testing: unit-test is done in jwt_verify_lib repo Docs Changes: None Release Notes: Added Signed-off-by: Wayne Zhang <qiwzhang@google.com> Signed-off-by: Qin Qin <qqin@google.com>
rexengineering
pushed a commit
to rexengineering/istio-envoy
that referenced
this pull request
Oct 15, 2021
When verifying Jwt clock constraint, it is recommend to use some clock skew. grpc is using 1 minute clock [skew](https://github.com/grpc/grpc/blob/4645da201ae2c7d0b15fe56d86b41354fa4af0ca/src/core/lib/security/credentials/jwt/jwt_verifier.cc#L388-L389). [jwt_verify_lib](google/jwt_verify_lib#57) has been updated to add 1 minute clock skew. In the old code, time constraint verification is done in jwt_authn filter, and jwt_verify_lib::verifyJwt() is doing time constraint verification again. Change jwt_verify_lib to split the time constraint verification to Jwt class so it can be called separately. And call verify() without the time checking. Risk Level: None Testing: unit-test is done in jwt_verify_lib repo Docs Changes: None Release Notes: Added Signed-off-by: Wayne Zhang <qiwzhang@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Wayne Zhang qiwzhang@google.com
This is to fix :GoogleCloudPlatform/esp-v2#369
This is to on-par with grpc jwt_validator