Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

add some leeway for checking JWT expiry, to account for clock skew

See original GitHub issue

Description :

I have an error cause by a clock skew of one second between my hasura server and my JWT service (Firebase) . I think that it beneficial to allow a little bit of leeway in the validation of the iat of the token to let this kind of situation.

Error message :

{name: "FormatedError", message: "Unknown error", originalError: "cannot start as connection_init failed with : Could not verify JWT: JWTIssuedAtFuture"}

Solution :

Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Use of this claim should be OPTIONAL.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:34
  • Comments:37 (6 by maintainers)

github_iconTop GitHub Comments

12reactions
tirumaraiselvancommented, Jan 13, 2021

Hey folks

This commit: https://github.com/hasura/graphql-engine/commit/c14bcb6967c6dec1188a71432968a203007ec371 adds a new config allowed_skew in the JWT config to provide for some leeway while comparing the JWT expiry time.

This is planned to be released in v1.3.4 and you can configure clock skew according to your requirements.

NOTE: When you face this error, please do verify that the timestamp in the token and time in graphql-engine (according to logs) is suffering from clock skew and not some other issue.

10reactions
cstlaurentcommented, Oct 2, 2020

This issue is happening to all our developers using windows machines with Hasura in Docker for Windows running in WSL2… Machines and WSL are properly synchronized with NTP and happens with JWT token issued from Firebase and also Auth0.

To bypass this issue we have to manually set WSL clock 1 hour in the future on every boot, which is cumbersome.

No trouble on Docker for Mac…

Read more comments on GitHub >

github_iconTop Results From Across the Web

Authentication using JWT | Hasura GraphQL Docs
Use authenticaton with JWT in Hasura. ... is an optional field to provide some leeway (to account for clock skews) while comparing the...
Read more >
Usage Examples — PyJWT 2.6.0 documentation
Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be...
Read more >
JWT Token authentication, expired tokens still working, .net ...
In my case, I added a new SecurityTokenDescriptor which contains properties that take the current date and time and expires based ...
Read more >
JSON web token (JWT) validation - Akamai TechDocs
JWT reserved claims​​ The client's current date and time must be earlier than the expiration date and time listed in the exp claim....
Read more >
JwtConsumerBuilder.setRequireExpirationTime - Java - Tabnine
The jwtConsumer class which will be used to verify and parse the JWT token ... allow some leeway in validating time based claims...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Perform CIDR queries

Next page

Dead letter facility for event-trigger webhooks