Invalid Id Token Errors when manually setting android device time forward

Configuration

• Version: 0.9.1
• Integration: Kotlin
• Identity provider: Comcast

Description

We recently upgraded from 0.7.1 to 0.9.1 and went to prod without issue. We found now that if we set an android’s clock forward an hour (disable auto time/timezone) our app throws

    AuthorizationException: {"type":0,"code":9,"errorDescription":"Invalid ID Token"}
        at net.openid.appauth.IdToken.validate(IdToken.java:182)
        at net.openid.appauth.AuthorizationService$TokenRequestTask.onPostExecute(AuthorizationService.java:694)
        at net.openid.appauth.AuthorizationService$TokenRequestTask.onPostExecute(AuthorizationService.java:563)
        at android.os.AsyncTask.finish(AsyncTask.java:771)

I see this library doing just that:

        Long nowInSeconds = clock.getCurrentTimeMillis() / MILLIS_PER_SECOND;
        if (nowInSeconds > this.expiration) {
            throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR,
                new IdTokenException("ID Token expired"));
        }

Did something change where I need to tell my Auth Provider what I think the time is so my Id Token is aligned?

My Token Provider would be setting the private static final String KEY_EXPIRATION = "exp";

field in the id token but how would they know my clock was set forward an hour?

It looks like this validation was introduced https://github.com/openid/AppAuth-Android/pull/385/files and I need to disable it. note it says :

  // OpenID Connect Core Section 3.1.3.7. rule #9
        // Validates that the current time is before the expiry time.

but that’s not in https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation Edit: Found related issue https://github.com/openid/AppAuth-Android/issues/693