Add an allowed amount of clock skew to registry JWTs
This commit is contained in:
Joseph Schorr
parent
6172b268eb
commit
2653d213c9
1 changed files with 7 additions and 3 deletions
|
|
@ -9,6 +9,10 @@ logger = logging.getLogger(__name__)
|
||||||
ANONYMOUS_SUB = '(anonymous)'
|
ANONYMOUS_SUB = '(anonymous)'
|
||||||
ALGORITHM = 'RS256'
|
ALGORITHM = 'RS256'
|
||||||
|
|
||||||
|
# The number of allowed seconds of clock skew for a JWT. We pad the iat, nbf and exp with this
|
||||||
|
# count.
|
||||||
|
JWT_CLOCK_SKEW_SECONDS = 10
|
||||||
|
|
||||||
|
|
||||||
class InvalidBearerTokenException(Exception):
|
class InvalidBearerTokenException(Exception):
|
||||||
pass
|
pass
|
||||||
|
|
@ -76,9 +80,9 @@ def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer,
|
||||||
token_data = {
|
token_data = {
|
||||||
'iss': issuer,
|
'iss': issuer,
|
||||||
'aud': audience,
|
'aud': audience,
|
||||||
'nbf': int(time.time()),
|
'nbf': int(time.time()) - JWT_CLOCK_SKEW_SECONDS,
|
||||||
'iat': int(time.time()),
|
'iat': int(time.time()) - JWT_CLOCK_SKEW_SECONDS,
|
||||||
'exp': int(time.time() + lifetime_s),
|
'exp': int(time.time() + lifetime_s) + JWT_CLOCK_SKEW_SECONDS,
|
||||||
'sub': subject,
|
'sub': subject,
|
||||||
'access': access,
|
'access': access,
|
||||||
'context': context,
|
'context': context,
|
||||||
|
|
|
||||||
Reference in a new issue