Clock skew can cause JWT parsing to fail

[john-j-mclaughlin]

go-jwt-middleware uses a default jwt Parser instance to parse the JWT. The default behavior is to "validate" the JWT and reject it if this fails.

Currently "validate" only looks at issue & expire time and compares with now(). If the parsing machine's current time is earlier than the JWT issuer's time (in my case it was by 0.4 secs) the parse will fail because my "now" is before their "issue time" (which is considered invalid).

Current code:
parsedToken, err := jwt.Parse(token, m.Options.ValidationKeyGetter)

Example of bypassing this validation:
jwtParser := &jwt.Parser{SkipClaimsValidation:true,}
parsedToken, err := jwtParser.Parse(token, m.Options.ValidationKeyGetter)

How to expose this option to the go-jwt-middleware user I will leave "as an exercise for the reader".

[aaliomer]

+1 this is causing real problems for us. We have some technical debt and looking into other competitors. please fix to save my team headache

[adw1n]

You should be able to use

jwt.TimeFunc = func() time.Time {
	return time.Now().UTC().Add(time.Second * 20)
}

workaround.

EDIT: so this could fix VerifyExpiresAt check but at the same time it breaks VerifyIssuedAt check

[grounded042]

Sorry for the inactivity on this. We are open to including this in our v2 release. If someone has a proposal that would be appreciated.

[sergiught]

We just released the v2.0.0-beta 🥳 !

You can start testing it by running go get github.com/auth0/go-jwt-middleware/v2@v2.0.0-beta.

In case of issues fetching the v2 you might want to try go clean --modcache first before doing go get.

I'm closing this issue as now this is part of v2, but feel free to reopen if needed.