We have a web application Vuejs(front) and a api Nodejs(back).
We delegate authentication to a third party OpenIdProvider.
Users login in the front and get and access token.
This access token contains:
nbf : the time before which the JWT MUST NOT be accepted for processing.
iat: the time at which the JWT was issued.
exp: time expiration of token
In my case when i log in at 11am i have:
nbf: 11:00 am
iat: 11:00 am
exp: 11:30 am
In each request from VueJS to NodeAPI, the access token is passed and verified by the back.
I verify jwt token like this:
jwt.verify(token, publicKey, { algorithms: ['RS256'], audience: process.env.OP_CLIENT });
The publicKey is read from the OpenIdProvider jwks_uri and the audience is my provider client id.
The problem is that the time on my nodejs server is late, is it : 9:00
So when i use verify i get this error message:
NotBeforeError: jwt not active
at /var/www/app/node_modules/jsonwebtoken/verify.js:143:21
at getSecret (/var/www/app/node_modules/jsonwebtoken/verify.js:90:14)
at Object.module.exports [as verify] (/var/www/app/node_modules/jsonwebtoken/verify.js:94:10)
at async authUser (/var/www/app/src/helpers/openid.js:87:19) { date: 2021-07-27T09:00:51.000Z }
I read that I could ignore the notBefore option but the problem remains the same on the validity period of the token ?
because with a time difference between the issuing time of the provider and the time on my server it distorts the verification.
what do you recommend ? is this the correct way to verify my token from a provider?
Your code looks pretty standard - similar to this code of mine.
The times used should be UTC times, so the preferred resolution is to ensure that the UTC time on the server is correct - eg by running a simple OS command such as date -u in bash.
Note also that there is an option called clockTimestamp that can be passed into the Auth0 library.
This will not help if the server clock is badly wrong though. If an IT administrator runs the server, it is their job to ensure that the system clock is correct.
Thanks Gary !
Finally i set
ENV TZ="Europe/Paris" in my docker file and my backend is now at the good timezone.
I also added the deactivation of the notBefore check to avoid problems if it has a few minutes of lag
jwt.verify(token, publicKey, { ignoreNotBefore:true, algorithms: ['RS256'], audience: process.env.OP_CLIENT });
Our server is running inside a docker container in a swarm cluster.
So i think, i have to set correctly the good UTC timezone in my deploy stage
Related
We host python packages on Azure DevOps and to make them accessible to users a pip.ini file is created on user's machine where we place a token generated from Artifacts / Connect to feed / Python / Generate Python credentials.
It was observed that with some time credentials stop working.
Does credentials expire? We didn't find anywhere in the documentation after which period of time the credentials expire.
Is it possible to control credentials lifetime (e.g. increase it)?
The python credential generate in a feed is a base64 encoded JWT(JSON Web Token ). The expiration time is defined when the JWT token is generated. I don't see there is a way to expand the token, you need to generate a new token when it is expired.
If you want to find your specific expiration time, you can copy the python credentials from the ‘pip.conf’ or ‘pip.ini’ file to this link: https://jwt.io/, which will help you find your expiration time. And your python credentials in your pip.conf is between 'https://xxx:' and '#xxxx.dev.azure.com'. All the details can be found in the screenshot. You can refer to this part from this case. Hope this will help you.
Finally I've found answers to both my questions.
Credentials do expire and default expiration period is 3 months.
It is possible to increase (or decrease) expiration period even after credentials have been already generated. I've discovered that every time I navigate to Artifacts / Connect to feed / Python and click on "Generate Python credentials" link a new credentials are generated and they can be found by clicking on user icon (top-right) choosing "Security" and then "Personal access tokens". Here you can see all generated tokens, you can Revoke them or edit. When editing you can change Expiration - the maximum duration is 1 year.
I'm referring to this URL https://cloud.google.com/speech/docs/getting-started to get started with the google speech API.
As the site suggests,I followed the following steps
Create or select a project.
Enable the Cloud Speech API for that project
Create a service account
Download a private key as JSON
I have the gcloud installed on my command-line. Now when i try to activate service account using the below command,
gcloud auth activate-service-account --key-file=my-service-account-key-file
i'm getting the below error.
ERROR: (gcloud.auth.activate-service-account) There was a problem refreshing your current auth tokens: invalid_grant: Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values and use a clock with skew to account for clock differences between systems.
I suspect it's the problem with the time zone. I'm running the command from my AWS EC2 instance.
I think there is a cache with this somewhere, after around 10 minutes it resolved itself.
I ran into this error when I created a new key for a service account and deleted the old one.
In my case fixing the date solved the issue. If you are in linux, you can change the date by executing
date -s "Thu Feb 24 22:32:36 EET 2022"
I wonder if, keycloak wildfly adapter care for "Issued At" Claim.
So imagine, a keycloak standalone and a wildfly server have a small time difference, and keycloak creates a JWT token where iat (issued at) claim
seems to be a few milliseconds in future (at least in comparison to the time at the server running wildfly) ...
What will happen? The token will be accepted or not?
Your token will be accepted, iat is used for the comparaison with the not-before property. By default not-before is set to 0 and iat>not-before and the token will be valid but not-before can be set to now (or future) and than the iat is needed to validate the token.
Team,
I am trying to implement SSO for a WAS7 based web application using Kerberos & SPNEGO. I am almost done with the configuration. I have few doubts on Kerberos.
When I execute the command klist, following is the output.
Ticket cache: FILE:/tmp/krb5cc_38698
Default principal: pocsso1#POC.MAIL.COM
Valid starting Expires Service principal
01/09/2014 16:15 02/09/2014 02:21 krbtgt/POC.MAIL.COM#POC.MAIL.COM
renew until 08/09/2014 16:15
My Question is "what expires and renew indicates here.?"
and "if it expires what is the process of renewing it.?"
Please put a comment if much information is required.
We're just going live with the Intuit API feature on our live application. We finished the last step of the process by uploading the X.509 certificate signed by Comodo PositiveSSL CA. Though our production access status shows up as ready now, we are having a problem using the production OAUTH credentials. We get an unauthorized exception using these credentials. The development OAUTH credentials work fine though. We also tried using Thawte SSL 123 but no luck even with that.
Also, the actual expiry date of the X.509 certificate, we uploaded is 16-Mar-2014 but when we upload this to the Intuit settings page, it shows expired (0/1/1). Please advice.
Adding the update here to this question- issue was with pointing to the wrong PFX file.