Switch to using the leeway parameter on JWT validation
This commit is contained in:
Joseph Schorr
Jimmy Zelinskie
parent
00aa27beb9
commit
ab1756306b
1 changed files with 6 additions and 6 deletions
|
|
@ -9,9 +9,9 @@ logger = logging.getLogger(__name__)
|
|||
ANONYMOUS_SUB = '(anonymous)'
|
||||
ALGORITHM = 'RS256'
|
||||
|
||||
# The number of allowed seconds of clock skew for a JWT. We pad the iat, nbf and exp with this
|
||||
# The number of allowed seconds of clock skew for a JWT. The iat, nbf and exp are adjusted with this
|
||||
# count.
|
||||
JWT_CLOCK_SKEW_SECONDS = 10
|
||||
JWT_CLOCK_SKEW_SECONDS = 30
|
||||
|
||||
|
||||
class InvalidBearerTokenException(Exception):
|
||||
|
|
@ -54,7 +54,7 @@ def decode_bearer_token(bearer_token, instance_keys):
|
|||
|
||||
max_exp = jwtutil.exp_max_s_option(max_signed_s)
|
||||
payload = jwtutil.decode(encoded_jwt, public_key, algorithms=[ALGORITHM], audience=audience,
|
||||
issuer=expected_issuer, options=max_exp)
|
||||
issuer=expected_issuer, options=max_exp, leeway=JWT_CLOCK_SKEW_SECONDS)
|
||||
except jwtutil.InvalidTokenError as ite:
|
||||
logger.exception('Invalid token reason: %s', ite)
|
||||
raise InvalidBearerTokenException(ite)
|
||||
|
|
@ -80,9 +80,9 @@ def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer,
|
|||
token_data = {
|
||||
'iss': issuer,
|
||||
'aud': audience,
|
||||
'nbf': int(time.time()) - JWT_CLOCK_SKEW_SECONDS,
|
||||
'iat': int(time.time()) - JWT_CLOCK_SKEW_SECONDS,
|
||||
'exp': int(time.time() + lifetime_s) + JWT_CLOCK_SKEW_SECONDS,
|
||||
'nbf': int(time.time()),
|
||||
'iat': int(time.time()),
|
||||
'exp': int(time.time() + lifetime_s),
|
||||
'sub': subject,
|
||||
'access': access,
|
||||
'context': context,
|
||||
|
|
|
|||
Reference in a new issue