Description
JwtGenerator currently does this to get the token issued time:
Instant issuedAt = Instant.now();
Compare this against how the JwtTimestampValidator in the Spring resource-server implementation is coded:
Instant expiry = jwt.getExpiresAt();
if (expiry != null && Instant.now(this.clock).minus(this.clockSkew).isAfter(expiry)) {
OAuth2Error oAuth2Error = this.createOAuth2Error(String.format("Jwt expired at %s", jwt.getExpiresAt()));
return OAuth2TokenValidatorResult.failure(new OAuth2Error[]{oAuth2Error});
}
Notice that you can override the clock in the validator to change the definition of "now" It would be very useful if the same thing could be done on the generation side as well.
Context
We have an extensive testing framework which makes use of comparison against known-good outputs. But obviously if these outputs include any kind of time derived from the current time of execution, the test output becomes variable. Rather than having to clutter up our test code with manual timestamp assertions for all of these, we require all of our services to obtain the current time from a special service that supports "fixing" time and then manually adjusting during the course of a test. This allows for stable test output even when timestamps are involved.
It would be a trivial change to support overriding the clock in the JwtGenerator instead of acquiring the "now" value directly from Instant.now() I'm happy to submit a PR.
In the short term we can work around this with a JwtCustomizer, but it's ugly because it means we have to replicate the logic embedded in the generator that sets the various derived times in the token claims
Related gh-1631