tzssangglass commented on code in PR #7500:
URL: https://github.com/apache/apisix/pull/7500#discussion_r926500111
##########
docs/en/latest/plugins/jwt-auth.md:
##########
@@ -49,6 +49,7 @@ For Consumer:
| exp | integer | False
| 86400 | [1,...] | Expiry time of the token in
seconds.
|
| base64_secret | boolean | False
| false | | Set to true if the secret is
base64 encoded.
|
| vault | object | False
| | | Set to true to use Vault for
storing and retrieving secret (secret for HS256/HS512 or public_key and
private_key for RS256). By default, the Vault path is
`kv/apisix/consumer/<consumer_name>/jwt-auth`. |
+| lifetime_grace_period | integer | False
| 0 | [0,...] | Define the leeway in seconds to
account for clock skew between the server that generated the jwt and the server
validating it. Value should be zero (0) or a positive integer. |
Review Comment:
Suppose the current real time is 17:05:30.
1. Server A, which generates the JWT, displays the time 17:05:30, when a JWT
is generated with a validity of 60 seconds, and Server B, which validates the
JWT, displays the time 17:05:20.
2. Server B, which verifies the JWT, shows the time 17:05:20.
When the real time has passed 65 seconds.
At this point, Server A shows a time of 17:06:35 and Server B shows a time
of 17:06:25.
At this point, to verify the JWT on Server B, we need to set the leeway to
-10 to keep the time consistent with Server A and the real time.
Otherwise, the JWT should be expired at this time, but Server B sees the
time 17:06:25 and thinks the JWT is not expired.
**So it is necessary to make the leeway range from [-N, N].**
I will verify this scenario later.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
