Closed frederikprijck closed 4 years ago
frasertweedale
commented
4 years ago @frederikprijck did you try setting the allowed skew in the JWTValidationSettings? This is very much supported already.
See https://github.com/frasertweedale/hs-jose/blob/master/src/Crypto/JWT.hs#L362-L378
frederikprijck
commented
4 years ago @frasertweedale Wow, I'm so sorry for opening an issue for this. I missed that (in my defense, I'm not great at reading Haskell 🙈 ).
Closing this issue.
frasertweedale
commented
4 years ago No worries @frederikprijck.
Today I stumbled upon a situation where my tokens where issued in the future by Auth0 (10sec in the future). As the issue existed on multiple devices, it looks like the issue was not on my end. After a few hours, the problem was also magically revolved.
I understand that this is an edge case and it shouldn't happen. However, I'd argue that if it happens I don't want it to take my app down.
Looking at some other JWT validating libraries, some don't validate IAT against current time, others do. Most that do, add a little leeway unto it and make the leeway configurable. This way we can ensure that, if situations like this occur, our application still works fine.
There is a related issue in Hasura's repository (https://github.com/hasura/graphql-engine/issues/2109), however I believe it can not be addressed in Hasura without a (configurable) leeway in this repository.
To be clear, I'm talking about this check: https://github.com/frasertweedale/hs-jose/blob/master/src/Crypto/JWT.hs#L470