search

okta / okta-sdk-dotnet

A .NET SDK for interacting with the Okta management API, enabling server-side code to manage Okta users, groups, applications, and more.
Other
160 stars 100 forks source link

change generated JWT expiry time to 50 minutes from 60 for time drift #489

Closed emanor-okta closed 3 years ago

emanor-okta commented 3 years ago

Issue \

Reference okta-sdk-java PR #515 and OKTA-356323 for the same issue in the java sdk.

Code

Current behavior

Currently the expiry time of a JWT is set for 60 minutes. Okta will reject any JWT whose expiry is further than 60 minutes in the future. If the Client machine has a slight time drift (ahead) of a number of seconds Okta will reject the /token request with (invalid_client (401, The client_assertion token has an expiration too far into the future.)

Desired behavior

Allow for slight future time drift.

Additional Context

A couple of clients periodically see (invalid_client (401, The client_assertion token has an expiration too far into the future.) when running management requests do to clock drift. Since Okta does not allow expiry further than 60 minutes, and the sdk sets the expiry for 60 minutes, a few second drift can cause the failures.

laura-rodriguez commented 3 years ago

Hi @emanor-okta,

Thank you for your patience.

I've added a ticket to our internal backlog, and we'll review it soon.

Internal Ref: OKTA-409817

andriizhegurov-okta commented 3 years ago

New PR for this https://github.com/okta/okta-sdk-dotnet/pull/495