Switch to using the leeway parameter on JWT validation

util/security/registry_jwt.py

@@ -9,9 +9,9 @@ logger = logging.getLogger(__name__)
 ANONYMOUS_SUB = '(anonymous)'
 ALGORITHM = 'RS256'
 
-# The number of allowed seconds of clock skew for a JWT. We pad the iat, nbf and exp with this
+# The number of allowed seconds of clock skew for a JWT. The iat, nbf and exp are adjusted with this
 # count.
-JWT_CLOCK_SKEW_SECONDS = 10
+JWT_CLOCK_SKEW_SECONDS = 30
 
 
 class InvalidBearerTokenException(Exception):
@@ -54,7 +54,7 @@ def decode_bearer_token(bearer_token, instance_keys):
 
     max_exp = jwtutil.exp_max_s_option(max_signed_s)
     payload = jwtutil.decode(encoded_jwt, public_key, algorithms=[ALGORITHM], audience=audience,
-                             issuer=expected_issuer, options=max_exp)
+                             issuer=expected_issuer, options=max_exp, leeway=JWT_CLOCK_SKEW_SECONDS)
   except jwtutil.InvalidTokenError as ite:
     logger.exception('Invalid token reason: %s', ite)
     raise InvalidBearerTokenException(ite)
@@ -80,9 +80,9 @@ def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer,
   token_data = {
     'iss': issuer,
     'aud': audience,
-    'nbf': int(time.time()) - JWT_CLOCK_SKEW_SECONDS,
+    'nbf': int(time.time()),
-    'iat': int(time.time()) - JWT_CLOCK_SKEW_SECONDS,
+    'iat': int(time.time()),
-    'exp': int(time.time() + lifetime_s) + JWT_CLOCK_SKEW_SECONDS,
+    'exp': int(time.time() + lifetime_s),
     'sub': subject,
     'access': access,
     'context': context,