jwt parser not accounting for clock skew #362
Comments
|
Hi @dInquisitor Thanks for the issue! The migration guide for golang-jwt seems pretty extensive so we will need time to evaluate all the changes needed and possible side effects of moving to v5. We will add it to our pipeline and get around to this as soon as we can. Leaving this open so you can keep track of progress on this |
|
thank you! |
9 tasks
|
This has been released in version >= 0.16.0 of the golang SDK. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When testing out the supertokens exploratory project, I kept getting a "Token used before issued" error with Google sign in/up.
It turns out that the version of the golang-jwt package (v4) being used for oauth claims validation does not account for clock skew between my server and IdP server which caused the oauth token to be apparently issued 1 second after it's used here.
The current version (v5) now accounts for clock skew, so is it possible to consider upgrading to the new version?
The only dependency seems to be keyfunc, which also only needs a version bump as far as I can tell.
The text was updated successfully, but these errors were encountered: