Add 1 minute clock skew when verifying time constraint

google / jwt_verify_lib

Provide c++ library to verify JWT tokens

Apache License 2.0

42 stars 43 forks source link

Add 1 minute clock skew when verifying time constraint #57

Closed qiwzhang closed 4 years ago

qiwzhang commented 4 years ago

Signed-off-by: Wayne Zhang qiwzhang@google.com

This is to fix :https://github.com/GoogleCloudPlatform/esp-v2/issues/369

This is to on-par with grpc jwt_validator

yangminzhu commented 4 years ago

@qiwzhang should we make this configurable? I'm not sure 1 minute is good for all cases, sometime we have short-lived JWT token that expires in ~5 minutes (or even shorter), and 1 minute skew means at least 20% difference.

qiwzhang commented 4 years ago

Well grpc is hardcoded to 1 minute jwt_validator

I think we should be fine.