Clock Skew is not checked in the authentication process

It is possible to log in to the application when there is a large time difference (4 hours). Version 2021.1 raised an error and refused the authorisation.

The error should returned and user shouldn’t be allowed to log in.

The problem is caused by the package oidc-client-ts which replaced oidc-client in 2022.4. It looks like the clock skew is just not checked. Here some asked about it but the question was not answered:

May be there is a hint in the oidc-client-ts’s documentation. I will continue to investigate.

The validation was removed from the UserManager (oidc-client-ts) in this commit:

This is where the clockSkewInSeconds was used:

const payload = JoseUtil.validateJwtAttributes(id_token, issuer, this.settings.client_id, this.settings.clockSkewInSeconds, now);

The whole method where the line above lived was removed in that commit. The method was put back in this commit:

But a different method was used to get the payload:

const payload = JwtUtils.decode(id_token);

No complains of missing clock skew check in #170:

The clock skew check on the client does not make much sense because the id_tokens are created on the server. The fact that the clock skew is not checked on the client anymore seems like a bug fix more than a bug.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.