Invalid Id Token Errors when manually setting android device time forward

[bsautner]

Configuration

• Version: 0.9.1
• Integration: Kotlin
• Identity provider: Comcast

Description

We recently upgraded from 0.7.1 to 0.9.1 and went to prod without issue. We found now that if we set an android's clock forward an hour (disable auto time/timezone) our app throws

    AuthorizationException: {"type":0,"code":9,"errorDescription":"Invalid ID Token"}
        at net.openid.appauth.IdToken.validate(IdToken.java:182)
        at net.openid.appauth.AuthorizationService$TokenRequestTask.onPostExecute(AuthorizationService.java:694)
        at net.openid.appauth.AuthorizationService$TokenRequestTask.onPostExecute(AuthorizationService.java:563)
        at android.os.AsyncTask.finish(AsyncTask.java:771)

I see this library doing just that:

        Long nowInSeconds = clock.getCurrentTimeMillis() / MILLIS_PER_SECOND;
        if (nowInSeconds > this.expiration) {
            throw AuthorizationException.fromTemplate(GeneralErrors.ID_TOKEN_VALIDATION_ERROR,
                new IdTokenException("ID Token expired"));
        }

Did something change where I need to tell my Auth Provider what I think the time is so my Id Token is aligned?

My Token Provider would be setting the
private static final String KEY_EXPIRATION = "exp";

field in the id token but how would they know my clock was set forward an hour?

It looks like this validation was introduced https://github.com/openid/AppAuth-Android/pull/385/files and I need to disable it.
note it says :

  // OpenID Connect Core Section 3.1.3.7. rule #9
        // Validates that the current time is before the expiry time.

but that's not in https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
Edit:
Found related issue #693

[nyihtwe1]

I am binngner

[Android3005]

@bsautner were you able to figure out any solution for this issue, other than degrading the version. We are also facing the same issue since we updated the appAuth version to 0.91

[bsautner]

Your only option is to fork this repo and do your own build without the check for id token timestamps. My only solution was to present the user with an error message that explained the problem since I didn't want to maintain a fork of this repo.

[agologan]

I do not believe it's a reasonable use-case to have the IDP and the client time be completely out of sync.
I'm open to change that opinion if the spec or enough members of the OpenID community decide against it.

There is however another topic about clock skew which I do agree this lib doesn't deal with which we should improve on.

[skauppi]

In my opinion client time can be allowed to be out of sync. Resource server will anyway respond with error, if token is invalid/expired.

At least having a parameter to optionally skip the validation of time would be useful.

[MahmoudMamdoouh]

Hello everyone
I want to at least customize it and use it,
I already know where I need to change but I can't use the package I have a little experience in Android so I need someone to tell me how to use it
please help

[sgal]

We have the same issue, would be great to have the ability to customize this behaviour since we cannot control the end-user devices. Clock skew could be the way to do it for sure.

[bensautner-comcast]

I'd like to see this issue re-opened as it seems to be exacerbated by daylight saving time and users having their phones configured to not use server time. Per the Spec

The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.

But the range is hardcoded in both iOS and Android for 10 minutes. We should be able to decide the range, for example 61 minutes would allow for a 1 hour offset.