search

facile-it / php-openid-client

PHP OpenID Client
36 stars 7 forks source link

error : The JWT is issued in the future #24

Closed crmb closed 1 year ago

crmb commented 1 year ago

Using : php7.4-fpm w/ extension "gmp" Despite using ntpd i most often get the following error while trying to get the tokenSet

The OpenID authorization server is from SalesForce which i presume is also at the correct time. (They say i am the only one to have this issue)

PHP Fatal error:  Uncaught Jose\Component\Checker\InvalidClaimException: The JWT is issued in the future. in /vendor/web-token/jwt-checker/IssuedAtChecker.php:53
Stack trace:
#0 /vendor/web-token/jwt-checker/ClaimCheckerManager.php(68): Jose\Component\Checker\IssuedAtChecker->checkClaim(1673626473)
#1 /vendor/facile-it/php-jose-verifier/src/Validate/Validate.php(84): Jose\Component\Checker\ClaimCheckerManager->check(Array, Array)
#2 /vendor/facile-it/php-jose-verifier/src/IdTokenVerifier.php(100): Facile\JoseVerifier\Validate\Validate->run()
#3 /vendor/facile-it/php-openid-client/src/Service/AuthorizationService.php(209): Facile\JoseVerifier\IdTokenVerifier->verify('eyJraWQiOiIyNDA...')
#4 /vendor/facile-it/php-openid-client/src/Service/AuthorizationService.php(162): Facile\OpenIDClient\Service\AuthorizationService->fetchToken(Object(Facile\OpenIDClient\Client\Client), Obje in /vendor/facile-it/php-jose-verifier/src/AbstractTokenVerifier.php on line 318

I can mitigate the issue by setting a "allowedTimeDrift" of 8 in vendor/web-token/jwt-checker/IssuedAtChecker.php

thomasvargiu commented 1 year ago

Hi @crmb, It's weird, there should be a problem with your or their time. You should be able to inspect the iat claim value with your time.

But if you need it, you can set the clock tolerance like this (it will set the allowedTimeDrift):

use Facile\OpenIDClient\Service\Builder\AuthorizationServiceBuilder;
use Facile\OpenIDClient\Token\IdTokenVerifierBuilder;

$verifierBuilder = (new IdTokenVerifierBuilder())
    ->setClockTolerance(5); // 5 seconds

$authorizationService = (new AuthorizationServiceBuilder())
    ->setIdTokenVerifierBuilder($verifierBuilder)
    ->build();
crmb commented 1 year ago

Thanks you. I will investigate further on the time. Good to know that i can set the drift tolerance here by then.