graphql-engine: add some leeway for checking JWT expiry, to account for clock skew

Description :

I have an error cause by a clock skew of one second between my hasura server and my JWT service (Firebase) . I think that it beneficial to allow a little bit of leeway in the validation of the iat of the token to let this kind of situation.

Error message :

{name: "FormatedError", message: "Unknown error", originalError: "cannot start as connection_init failed with : Could not verify JWT: JWTIssuedAtFuture"}

Solution :

Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Use of this claim should be OPTIONAL.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 34
  • Comments: 38 (6 by maintainers)

Most upvoted comments

Hey folks

This commit: https://github.com/hasura/graphql-engine/commit/c14bcb6967c6dec1188a71432968a203007ec371 adds a new config allowed_skew in the JWT config to provide for some leeway while comparing the JWT expiry time.

This is planned to be released in v1.3.4 and you can configure clock skew according to your requirements.

NOTE: When you face this error, please do verify that the timestamp in the token and time in graphql-engine (according to logs) is suffering from clock skew and not some other issue.

+12
tirumaraiselvan on Jan 13, 2021

This issue is happening to all our developers using windows machines with Hasura in Docker for Windows running in WSL2… Machines and WSL are properly synchronized with NTP and happens with JWT token issued from Firebase and also Auth0.

To bypass this issue we have to manually set WSL clock 1 hour in the future on every boot, which is cumbersome.

No trouble on Docker for Mac…

+11
cstlaurent on Oct 2, 2020

Have this error with a local-dockerized Hasura on Mac with authentication JWT coming from an AWS Cognito instance. Cognito issues my JWT and when used with Hasura I get the following error – {"errors":[{"extensions":{"path":"$","code":"invalid-jwt"},"message":"Could not verify JWT: JWTIssuedAtFuture"}]}.

UPDATE: For those using Cognito, I adjusted the allowed_skew on my HASURA_GRAPHQL_JWT_SECRET to 86400 and that did the trick finally.

+4
mgan59 on Sep 3, 2021

running local hasura container, with local react app in dev mode. why is this skew happening?

+2
JuHwon on Dec 21, 2021

Do we have a production release ETA?

This is available in v2.0 which will be stable in 2 weeks time.

+1
tirumaraiselvan on Apr 6, 2021

Great, thanks for the quick response. ETA for 1.3.4 release? 😃

+1
KATT on Jan 13, 2021

hs-jose already lets you configure an allowed skew: https://github.com/frasertweedale/hs-jose/blob/master/src/Crypto/JWT.hs#L362-L378

+1
frasertweedale on Aug 3, 2020

Ran into this in local dev env too, a reboot fixed the problem.

+1
evert-smit on May 22, 2019
Read more comments on GitHub
← graphql-engine: Actions don't work on Cloud Functions
graphql-engine: Allow Relationship Data to be Used in Triggers →