Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issued at claim (iat) is in the future #54

Closed
realmike33 opened this issue Jan 19, 2017 · 10 comments
Closed

Issued at claim (iat) is in the future #54

realmike33 opened this issue Jan 19, 2017 · 10 comments

Comments

@realmike33
Copy link

Got this error when trying to decode JWT. As per the python implementation, this shouldn't be a thing.

Should update.

@realmike33
Copy link
Author

opened pull request

@JanBrinker
Copy link
Contributor

I'm having the same issue from time to time. As far as I see this happens due to rounding of the timestamps. For example this morning I sent a request and got a token in response that had an iat of 1504765492. Just before validating the token I printed out my current timestamp and it was 1504765491.78288. As the token expects an integer in the iat field and iOS's Date() uses Double to model sub second accuracy, we might have a current Date() that is before iat.

However I don't agree with your pull request to completely remove this error from the code base.

This could be solved by always rounding the current date down before comparing to the iat claim. Do you agree @kylef?

@kylef
Copy link
Owner

kylef commented Sep 7, 2017

This could be solved by always rounding the current date down before comparing to the iat claim.

@JanBrinker I think the better solution would to be support some form of leeway, some value of time that can be passed to the library to allow extra time.

Implementers MAY provide for some small leeway, usually no more than
a few minutes, to account for clock skew. Its value MUST be a number
containing a NumericDate value. Use of this claim is OPTIONAL.

@JanBrinker
Copy link
Contributor

@kylef that could work aswell and could also be implemented more nicely by just using Date().addingTimeInterval(...) for comparison instead of Date().

In that case the question would be how to pass the leeway into the library or whether it should be a constant. What do you think?

@kylef
Copy link
Owner

kylef commented Sep 7, 2017

@JanBrinker I think I'd do the following:

@JanBrinker
Copy link
Contributor

@kylef shall we introduce several different leeways for the different claims? So one for nbf, one for exp and one for iat? Even if a leeway for iat is not defined in the specs?

@kylef
Copy link
Owner

kylef commented Sep 7, 2017

@JanBrinker I think it would be rare that a user would want that granularity, that they would want to specify different values (but I could be wrong).

The design would allow them to do this by manually calling the validations for this unusual case. Do you think there would be a warrant for use-case to provide separate values in the code and validate functions?

let claimset = decode(..., validate: false)
claimset.validateIssuer("x")
claimset.validateIssuedAt(leeway: 5)
claimset.validateExpiary(leeway: 5)

I would lean towards a single value to keep the API simpler for the 99%, but willing to consider it if you think there are use-cases. Looking at the other libraries it seems they are split:

From PyJWT, they support a single value:

jwt.decode(jwt_payload, 'secret', leeway=10, algorithms=['HS256'])

From ruby-jwt, they support separate leeways:

decoded_token = JWT.decode token, hmac_secret, true, { :exp_leeway => leeway, :algorithm => 'HS256' }

@JanBrinker
Copy link
Contributor

I was just thinking about the two different cases that we have with exp (leeway is subtracted from Date()) vs. iat and nbf (leeway is added to Date()). But you're right. Let's go for one parameter. The purpose is to account for skewed clocks. Clock skew does not change that fast to matter differently for different checks.. or if it does you have different problems anyway.

I'm on it now. Will also write unit tests and create a pull request for you :)

@kylef
Copy link
Owner

kylef commented Sep 7, 2017

@JanBrinker Awesome, let me know if you need any help.

JanBrinker added a commit to JanBrinker/JSONWebToken.swift that referenced this issue Sep 7, 2017
@kylef
Copy link
Owner

kylef commented Sep 11, 2017

Closed by #83.

@kylef kylef closed this as completed Sep 11, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants