Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT tokens are rejected after 10min if OIDC_LEEWAY is not set #66

Open
vikoivun opened this issue Jun 29, 2021 · 1 comment
Open

JWT tokens are rejected after 10min if OIDC_LEEWAY is not set #66

vikoivun opened this issue Jun 29, 2021 · 1 comment

Comments

@vikoivun
Copy link
Member

vikoivun commented Jun 29, 2021
edited
Loading

drf-oidc-auth, by default, rejects tokens where iat is older than 600s:
https://github.com/ByteInternet/drf-oidc-auth/blob/68a962446788ee55909f04daf2896b14820cfbec/oidc_auth/authentication.py#L163-L165

Perhaps django-helusers could provide a more useful default or would this be better mentioned in the docs?

Now each project has discovered this on their own, or copied the magic setting from some other project.
@akikoskinen
Copy link
Contributor

That's drf-oidc-auth version <1.0. To me it seems that since 1.0.0 drf-oidc-auth doesn't do that kind of checking any more, it doesn't mind how old iat is (which is good, using the leeway setting for oldness checking was counter intuitive to begin within, IMO). Instead of giving guidelines how to use old versions of dependencies, I would encourage people to keep their dependencies updated.

On another note, ApiTokenAuthentication could be reimplemented without drf-oidc-auth, using the RequestJWTAuthentication. That would give more control about how the JWT really is validated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@akikoskinen @vikoivun