Identity uses browser time, not server time to sign JWTs #43

Zyther · 2021-06-20T17:59:25Z

Steps to reproduce:

Use a Windows PC

maebeam · 2021-06-21T15:59:51Z

There's no way to fix this because Identity doesn't have a backend server to talk to and we don't want to add any server-side dependencies.

maebeam · 2021-06-21T16:00:30Z

I'm open to increasing the token expiry time or allowing the requester to specify an expiry time

Zyther · 2021-06-24T01:20:38Z

Understood, and thank you.

Zyther · 2021-06-24T01:24:05Z

After further thought, I feel this strictness is a good thing. Ensures all parties are in agreeance of the current time. Apologies!

maebeam · 2021-06-24T15:31:58Z

I think we should increase the token expiry time to account for clock skew. 10-30 minutes seems reasonable

maebeam · 2021-06-24T22:10:00Z

Increased to 10 minutes: d79b17c

maebeam closed this as completed Jun 21, 2021

Provide feedback