Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error: client_assertion token has an expiration too far into the future #382

Open
gabrielsroka opened this issue Dec 15, 2023 · 5 comments
Open

error: client_assertion token has an expiration too far into the future #382

gabrielsroka opened this issue Dec 15, 2023 · 5 comments

Comments

@gabrielsroka
Copy link
Contributor

Okta node sdk sets expiration for 5 minutes:
https://github.com/okta/okta-sdk-nodejs/blob/895d48c9bf4e2e1d0d2fadcf0a84cc550e301851/src/jwt.js#L72-L84

whereas Python uses 60 minutes:

okta-sdk-python/okta/jwt.py

Lines 114 to 122 in 700c5f1

expiry_time = issued_time + JWT.ONE_HOUR
# generate unique JWT ID
generated_JWT_ID = str(uuid.uuid4())
# Create claims for token and create token
claims = {
'sub': client_id,
'iat': issued_time,
'exp': expiry_time,

i frequently get

okta-sdk-python - http_client - ERROR - {'message': "HTTP 401 {'error': 'invalid_client', 'error_description': 
'The client_assertion token has an expiration too far into the future.'}"}

errors on Python, but never on node. i set my clock using time.windows.com, but it's usually 1 sec fast
@gabrielsroka
Copy link
Contributor Author

one hacky workaround is to modify the variable:

okta.jwt.JWT.ONE_HOUR -= 5 # allow 5 seconds of clock skew

@frozb
Copy link

frozb commented Jan 28, 2025

Hi, this issue is open for more than a year. Is there a plan to fix this? We hit this error today when moving from API Tokens to PrivateKey authentication. As it is currently implemented, we don't feel comfortable using PrivateKey authentication in production.

As suggested above, a solution would be to reduce the expiry_time by a few seconds to allow for clock skew:

expiry_time = issued_time + JWT.ONE_HOUR - 5

Or even better, using 45-min instead of 1h.

Is there a reason why the expiry time is set for so long in the future?

@gabrielsroka
Copy link
Contributor Author

is there a plan to fix this?

i'm guessing not. see also #375. there are dozens of open issues going back years.

we don't feel comfortable

i wouldn't feel comfortable using something that doesn't get bug fixes or is replaced every few years -- there was an old beta SDK that never went GA, then the current one, now they're doing it again -- that's 3 times in 4 years!?

i just use requests. it's not async, it's easier to use, and i don't have to worry about bugs being ignored.

i have example code. if you're interested, let me know.

gabrielsroka added a commit to gabrielsroka/okta-sdk-python that referenced this issue Jan 28, 2025
@gabrielsroka
Update jwt.py
5a1aab3 
60 minutes is too long and causes error okta#382
@gabrielsroka gabrielsroka mentioned this issue Jan 28, 2025
Open
@gabrielsroka
Copy link
Contributor Author

i just submitted this PR #434

@frozb
Copy link

frozb commented Jan 31, 2025

Thanks for the PR! Hopefully it gets reviewed soon.

Also, I appreciate the link on the SDK refresh. I wasn't aware of the plan for a new Python SDK. Our team will wait a bit longer before committing to writing our own.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gabrielsroka @frozb