Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issued At Claim Errors #320

Closed
sixfootsixdesigns opened this issue Dec 20, 2019 · 7 comments · Fixed by #329
Closed

Issued At Claim Errors #320

sixfootsixdesigns opened this issue Dec 20, 2019 · 7 comments · Fixed by #329

Comments

@sixfootsixdesigns
Copy link

Description

We are consistently getting issued at claim errors when our users attempt to login. In this example, the current time is dec 12th 2019 12:54:29 GMT-0600 and the issued at time is dec 12th 2019 12:54:48 GMT-0600. I have set the leeway option to 3 minutes to attempt to solve the issue but it is clearly not working as expected. We are using the loginWithRedirect method on the library to login the users.

Reproduction

using the loginWithRedirect method on the library

Environment

  • we are using version 1.6.0
  • the app is a React 16.9 spa
  • App is deployed on Heroku.
  • the user in this example was using chrome on windows

Let me know if you need any more information.
@stevehobbsdev
Copy link
Contributor

Thanks for reporting this @sixfootsixdesigns. Could you show your configuration for the leeway?

@sixfootsixdesigns
Copy link
Author 

        this.auth0Client = await createAuth0Client({
          domain: this.props.domain,
          client_id: this.props.client_id,
          redirect_uri: this.props.redirect_uri,
          scope: this.props.scope,
          leeway: 180,
          audience: this.props.audience,
        });

@justinhelmer
Copy link

I can confirm this issue as well, using [email protected].

Here is a related issue in auth0.js that was resolved recently: auth0/auth0.js#1061

Perhaps they are related.

@lbalmaceda
Copy link
Contributor

This logic was introduced in version 1.4.0 as far as I can tell from the changelog. I also see there are tests in place for the loginWithPopup here but not for loginWithRedirect. Though they call the verify function in the same way.

@spinfooser
Copy link

I discovered that the error message given doesn't use the correct iat timestamp. This might be why it seems that the 180 second leeway option isn't working.

This is the issue I filed related to that problem: #322

@stevehobbsdev
Copy link
Contributor

Hi everyone - after discussing this internally, we've taken the decision to remove the iat value check altogether, which should make this a non-issue. We will still be checking for presence and type, but will not be comparing the issued-at time.

I will be raising a PR in the very near future to correct this.

@stevehobbsdev stevehobbsdev mentioned this issue Jan 10, 2020
Merged
4 tasks
@shayded-exe
Copy link

@stevehobbsdev Thank you. I never understood why the browser should check iat. That's for the resource server to do.

@IngridPuppet IngridPuppet mentioned this issue Oct 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[SDK-1258] Remove future iat check auth0/auth0-spa-js
6 participants
@stevehobbsdev @justinhelmer @shayded-exe @sixfootsixdesigns @lbalmaceda @spinfooser