How to deal with users having a system time in the future? - Githubissues

AxaFrance / oidc-client

Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).

MIT License

570 stars 152 forks source link

How to deal with users having a system time in the future? #1373

Open fwolff opened 1 month ago

fwolff commented 1 month ago

Issue and Steps to Reproduce

When you set your system date / time in the future, two things can happen:

if the delta between your time and the server (Azure in my case) time is more than the expiry of the access token, the application is caught in an infinite loop trying to get a token that is not immediately expired.
if the delta is more than the refresh_time_before_tokens_expiration_in_second, the user can send an expired token to the server before it is automatically refreshed.

I couldn't find any way to tell the user that his system time isn't sync with the server time and that it should adjust it.

Versions

7.22.4 with a service worker

Expected

Give a way to tell the user that his system time isn't sync with the server time and that he should adjust it.

Actual

See "Issue and Steps to Reproduce" above.

Additional Details

My configuration:

export const oidcConfiguration: OidcConfiguration = {
    client_id: "***",
    redirect_uri: '***/authentication/callback',
    silent_redirect_uri: '***/authentication/silent_callback',
    scope: 'openid profile email',
    authority: "***",
    service_worker_relative_url: "/OidcServiceWorker.js",
    service_worker_only: true,
}

guillaume-chervet commented 1 month ago

Hi @fwolff very sorry for the delay.

System in general are synchronised. There is no way to check it.

If you have that case you can renew token when an http 401 occured. I think it is the best way to handle that case.