[GitHub] [apisix] tzssangglass commented on a diff in pull request #7500: feat(jwt-auth): support setting clock skew for verifying

Thu, 21 Jul 2022 09:05:23 -0700 


tzssangglass commented on code in PR #7500:
URL: https://github.com/apache/apisix/pull/7500#discussion_r926863888


##########
docs/en/latest/plugins/jwt-auth.md:
##########
@@ -49,6 +49,7 @@ For Consumer:
 | exp           | integer | False                                              
   | 86400   | [1,...]                     | Expiry time of the token in 
seconds.                                                                        
                                                                                
|
 | base64_secret | boolean | False                                              
   | false   |                             | Set to true if the secret is 
base64 encoded.                                                                 
                                                                               |
 | vault         | object  | False                                              
   |         |                             | Set to true to use Vault for 
storing and retrieving secret (secret for HS256/HS512  or public_key and 
private_key for RS256). By default, the Vault path is 
`kv/apisix/consumer/<consumer_name>/jwt-auth`. |
+| lifetime_grace_period | integer | False                                      
   | 0       | [0,...]                     | Define the leeway in seconds to 
account for clock skew between the server that generated the jwt and the server 
validating it. Value should be zero (0) or a positive integer. |

Review Comment:
   @tokers Unfortunately, the lib lua-resty-jwt currently allows setting 
`lifetime_grace_period` to be less than 0. Even though it seems to us that this 
makes sense.
   
   The error stack for the test is as follows.
   
   ```
   stack traceback:
   coroutine 0:
        [C]: in function 'error'
        ...local/apisix/deps/share/lua/5.1/resty/jwt-validators.lua:81: in 
function 'ensure_is_non_negative'
        ...local/apisix/deps/share/lua/5.1/resty/jwt-validators.lua:323: in 
function 'set_system_leeway'
        /usr/local/apisix/deps/share/lua/5.1/resty/jwt.lua:713: in function 
'get_claim_spec_from_legacy_options'
        /usr/local/apisix/deps/share/lua/5.1/resty/jwt.lua:788: in function 
'validate_claims'
        /usr/local/apisix/deps/share/lua/5.1/resty/jwt.lua:822: in function 
'verify_jwt_obj'
        /usr/local/apisix/apisix/plugins/jwt-auth.lua:399: in function 
'phase_func'
        /usr/local/apisix/apisix/plugin.lua:897: in function 'run_plugin'
        /usr/local/apisix/apisix/init.lua:435: in function 'http_access_phase'
        access_by_lua(nginx.conf:427):4: in main chunk, client: 127.0.0.1, 
server: localhost, request: "GET /hello HTTP/1.1", host: "127.0.0.1:1984"
   ```
   
   `ensure_is_non_negative` will check that `lifetime_grace_period` is at least 
greater than 0.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to