Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

nbf + clockTolerance cause issues

See original GitHub issue

https://github.com/auth0/node-jsonwebtoken/blob/73c4a5ac45d557ef0dc1c43fcae6b7fc9bc3f19e/verify.js#L116

The clockTolerance may be wrong when used together with nbf. When the token has just been issued if added with clockTolerance it’ll always fail I guess.

I’m pretty sure it should extend exp (expiration) time and shorten nbf (not before) time.

I can submit a PR if someone agrees.

Issue Analytics

State:
Created 5 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

4reactions

maceddcommented, Jul 5, 2018

I agree with @MitMaro as after reviewing the code again I could figure the logic was fine.

Still I could only get rid of the issues with tokens failing on another server (right after its creation) disabling the nbf completelly

jwt({ignoreNotBefore: true});

1reaction

ziluvatarcommented, Jun 16, 2018

I have this scenario currently when my frontend regenerates the token on failure, to sequentially try the same api endpoint again. node-jsonwebtoken is failing due to the clockTolerance.

Let me write the cases I can think of:

A) Clock timestamp => Frontend: 995 and API: 1000. Clock Tolerance: 10 Check: nbf=995 > clockTimestamp=1000 + clockTolerance=10 => false, all good Since the verifier is “in the future” from the signer point of view there will be never a fail here.

B) Clock timestamp => Frontend: 1000 and API: 995. Clock Tolerance: 10 Check: nbf=1000 > clockTimestamp=995 + clockTolerance=10 => false, all good Since the verifier is “in the past” from the signer point of view here the tolerance matters, it needs to be well defined.

B.2) Clock timestamp => Frontend: 1000 and API: 985. Clock Tolerance: 10 Check: nbf=1000 > clockTimestamp=985 + clockTolerance=10 => true, failure. Clock tolerance should be greater.

C) Clock timestamp => Frontend: 1000 and API: 1000. Clock Tolerance: 10 Check: nbf=1000 > clockTimestamp=1000 + clockTolerance=10 => false, all good

Can you think in any other? Did I miss anything?

Top Results From Across the Web

Bearer error="invalid_token", error_description="The token is ...

Your tokens have the nbf (JWT Not Before) Claim, when verifying a ... Some verification option like clock skew or clock tolerance may...

jsonwebtoken | Yarn - Package Manager

... clockTolerance : number of seconds to tolerate when checking the nbf and exp ... The issue was caused because the same signature...

PrematureJwtException - Auth0 Community

Hi all, What possible timing problems or clock skews can cause this exception ? ... post - Are you by chance using an...

PostGraphile | Command Line Interface

To disable audience verification, set to ''. --jwt-verify-clock-tolerance <number> number of seconds to tolerate when checking the nbf and exp claims, to deal ......

@hansenw/jwt-auth - npm

This may not be a problem to some people, but I find passport.js a bit difficult ... notBefore : <string> JWT Not Before,...