fix clock skew to right direction #1237
Conversation
|
@manfredsteyer Would be great if we could get this one checked and merged, we are running into #1135 too :( |
|
@manfredsteyer Any idea when we could get this one merged and released? I can see a lot of people are running into #1135 |
| @@ -2263,8 +2263,8 @@ export class OAuthService extends AuthConfig implements OnDestroy { | |||
| const clockSkewInMSec = this.getClockSkewInMsec(); // (this.getClockSkewInMsec() || 600) * 1000; | |||
|
|
|||
| if ( | |||
| issuedAtMSec - clockSkewInMSec >= now || | |||
| expiresAtMSec + clockSkewInMSec <= now | |||
| issuedAtMSec >= now - clockSkewInMSec || | |||
There was a problem hiding this comment.
I think the sign of the clockSkew is wrong when comparing with the issuedAt.
In the case when the Identity Provider server clock is the same as the the browser clock, the issuedAt of a new/refreshed access_token/id_token will be very close to the server time.
Reducing the browser time with the clock skew, it will lead to the "token has expired" error each time, no?
| issuedAtMSec >= now - clockSkewInMSec || | |
| issuedAtMSec >= now + clockSkewInMSec || |
There was a problem hiding this comment.
I think you are right. The original code is correct here.
There was a problem hiding this comment.
The original code was correct only for issuedAt attribute.
The updates you suggest on the expiresAt seem correct to me
Fixes #1135