tzssangglass commented on code in PR #7500:
URL: https://github.com/apache/apisix/pull/7500#discussion_r926500111
##########
docs/en/latest/plugins/jwt-auth.md:
##########
@@ -49,6 +49,7 @@ For Consumer:
| exp | integer | False
| 86400 | [1,...] | Expiry time of the token in
seconds.
|
| base64_secret | boolean | False
| false | | Set to true if the secret is
base64 encoded.
|
| vault | object | False
| | | Set to true to use Vault for
storing and retrieving secret (secret for HS256/HS512 or public_key and
private_key for RS256). By default, the Vault path is
`kv/apisix/consumer/<consumer_name>/jwt-auth`. |
+| lifetime_grace_period | integer | False
| 0 | [0,...] | Define the leeway in seconds to
account for clock skew between the server that generated the jwt and the server
validating it. Value should be zero (0) or a positive integer. |
Review Comment:
And for JWT authentication scenarios, it does not make sense to set the
leeway to less than 0.
Suppose the current real time is 17:05:30.
Server A, which generates the JWT, displays the time 17:05:30, when a JWT
is generated with a validity of 60 seconds, and Server B, which validates the
JWT, displays the time 17:05:20.
2. Server B, which verifies the JWT, shows the time 17:05:20.
When the real time has passed 55 seconds.
At this time, the time displayed on Server A is 17:06:25, and the time
displayed on Server B is 17:06:15
At this point, the JWT is verified on Server B. At this point, the leeway
needs to be set to -10 to keep the time consistent with Server A and the real
time.
For Server B, the JWT expires at 17:06:30, and the JWT does not expire at
this time.
At this point, even if the leeway is not -10, the JWT will not expire.
When the real time has passed for another 10 seconds.
At this point, Server A shows a time of 17:06:35 and Server B shows a time
of 17:06:25.
At this point, to verify the JWT on Server B, you need to set the leeway to
-10 to keep the time consistent with Server A and the real time.
Otherwise, the JWT should be expired at this time, but Server B sees the
time 17:06:25 and thinks the JWT is not expired.
**So it is necessary to make the leeway range from [-N, N].**
I will verify this scenario later.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
