jwt-go icon indicating copy to clipboard operation
jwt-go copied to clipboard

Published 20 hours ago verified publisher icon dgrijalva

"Token used before issued"

Open sanderdekoning opened this issue 4 years ago • 8 comments

When running Go program on my mac, I am receiving the following error when parsing a JWT: "Token used before issued".

However, when I am running on a remote server it is working fine. What causes this issue and how can I resolve it?

EDIT: strangely, a reboot of my macbook resolved the issue. It had never occurred before. Any idea what might have caused this issue? I tried changing my Mac system timezone to UTC but it didn't resolve it either.

sanderdekoning avatar Feb 29 '20 13:02 sanderdekoning

This module does not support clock tolerance.

https://github.com/dgrijalva/jwt-go/blob/dc14462fd58732591c7fa58cc8496d6824316a82/claims.go#L29

intolerance avatar Mar 05 '20 14:03 intolerance

Thanks! I had read that too, although I am not sure what it refers to nor how it could potentially be resolved or as stated accounted for. Do you have a suggestion?

sanderdekoning avatar Mar 05 '20 16:03 sanderdekoning

Basically, clock skew refers to the difference between two system clocks that are not in sync. For example, server A's clock may be 1 minute behind server B's clock.

As an example, A JWT issuing service may set the iat or nbf claims using its systems clock. When a service tries to validate the JWT it compares the iat or nbf claim to its own system time. When this check fails you get an error, i.e. Token used before issued.

To combat this issue some libraries, such as Auth0's node-jsonwebtoken, allow you to provide a clockTolerance parameter while validating a JWT. Using this type of feature you can validate a JWT while providing some leeway when comparing the time sensitive claims.

In order to resolve the issue, you can try to sync the two systems times, however I've read that this issue can still occur even when they are synced. In some cases, syncing the two system times is impossible as the signer may be a 3rd party. Ultimately though, it is up to us to try to add support for a clockTolerance type of option in to our validation libraries.

intolerance avatar Mar 05 '20 17:03 intolerance

All right, I understand now, thank you for clarifying, I appreciate your time and effort

sanderdekoning avatar Mar 06 '20 11:03 sanderdekoning

The issuing time cannot be greater than the current system time

zhanghzong avatar Nov 12 '20 13:11 zhanghzong

So could this library get clockTolerance option?

mitar avatar Jan 21 '21 20:01 mitar

encountered this one as well. should be cool if you could ignore the nbf claim.

cedricve avatar Feb 10 '21 12:02 cedricve

cool if you could ignore the nbf claim.

Introducing a maxClockSkew or clockTolerance parameter would be better. Other JWT libraries have that (e.g. https://github.com/firebase/php-jwt -> JWT::$leeway)

heidemn-faro avatar Oct 06 '21 10:10 heidemn-faro