workos
Add Support for a JWT Leeway Parameter
Description
This PR adds support for configuring a JWT leeway parameter that helps address token validation timing issues. When authenticating with WorkOS, occasional errors like "The token is not yet valid (iat)" can occur due to clock skew between servers. The leeway parameter creates a time buffer around token validation, allowing slightly expired or not-yet-valid tokens to be accepted.
The implementation adds a jwt_leeway parameter (default: 0) to the client configuration that's passed through to the JWT validation operations. Users can now specify a custom leeway value when creating a WorkOS client, and the setting will be consistently applied to all token operations. This change is fully backward compatible and includes tests to verify the leeway functionality works as expected with both slightly and significantly expired tokens.
Documentation
Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.
[x] Yes
If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.
Usage
You can now specify the jwt_leeway param on the WorkOSClient. It will default to 0 if it is not specified.
workos = WorkOSClient(
api_key="",
client_id="",
jwt_leeway=30
)
@Th3R3p0 IMO the code looks good and this looks like a worthwhile feature to add, thank you! It looks like CI is failing on formatting. Would you mind running the following and pushing up the fixes?
pipx run black .
Thanks!
@nicknisi I just had another issue with timing and not having this leeway param came back to haunt me. I ran black against the commit and rebased on the upstream repo. Let me know if you need anything else from me.