Add an allowed amount of clock skew to registry JWTs

2016-06-24 15:08:26 -04:00 · 2016-06-24 15:08:26 -04:00 · 2653d213c9
commit 2653d213c9
parent 6172b268eb
1 changed files with 7 additions and 3 deletions
--- a/util/security/registry_jwt.py
+++ b/util/security/registry_jwt.py
@ -9,6 +9,10 @@ logger = logging.getLogger(__name__)
 ANONYMOUS_SUB = '(anonymous)'
 ALGORITHM = 'RS256'

+# The number of allowed seconds of clock skew for a JWT. We pad the iat, nbf and exp with this
+# count.
+JWT_CLOCK_SKEW_SECONDS = 10
+

 class InvalidBearerTokenException(Exception):
  pass
@ -76,9 +80,9 @@ def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer,
  token_data = {
    'iss': issuer,
    'aud': audience,
-    'nbf': int(time.time()),
-    'iat': int(time.time()),
-    'exp': int(time.time() + lifetime_s),
+    'nbf': int(time.time()) - JWT_CLOCK_SKEW_SECONDS,
+    'iat': int(time.time()) - JWT_CLOCK_SKEW_SECONDS,
+    'exp': int(time.time() + lifetime_s) + JWT_CLOCK_SKEW_SECONDS,
    'sub': subject,
    'access': access,
    'context': context,