lua-resty-openidc icon indicating copy to clipboard operation
lua-resty-openidc copied to clipboard

Published 20 hours ago verified publisher icon zmartzone

request help: why set system leeway in jwt-validators to 120 seconds by default?

Open tzssangglass opened this issue 2 years ago • 0 comments

Environment
  • lua-resty-openidc version (e.g. 1.7.5)
  • OpenID Connect provider (e.g. Keycloak, Azure AD)
Expected behaviour

When we use lua-resty-openid, I find that the following code will be executed, and set the system clock skew in the jwt-validators module to 120 seconds.

https://github.com/zmartzone/lua-resty-openidc/blob/b07330120ffe54dd3fbeac247726b76d0f9dc793/lib/resty/openidc.lua#L1014-L1021

This will actually set the jwt-validators module-level variable system_leeway to 120.

code in jwt-validators:

local system_leeway = 0
function _M.set_system_leeway(leeway)
  ensure_is_type(leeway, "number", "leeway must be a non-negative number")
  ensure_is_non_negative(leeway, "leeway must be a non-negative number")
  system_leeway = leeway
end

link: https://github.com/cdbattags/lua-resty-jwt/blob/b8b1f6e00be74565111e0cbbc40bc7d26367a646/lib/resty/jwt-validators.lua#L320-L325

When the jwt-validators module is called again by another module, system_leeway is already set to 120.

Of course, there are some ways to fix this.

I'm just trying to figure out why the 120 seconds clock skew is set by default here, why not 0 seconds?

Actual behaviour
Minimized example

Minimal, complete configuration that reproduces the behavior.

Configuration and NGINX server log files

Config and logs for the minimized example, possibly provided as attachments.

tzssangglass avatar Jul 20 '22 07:07 tzssangglass