Identityserver4: Remove iat from id_token

Created on 4 Jul 2017 · 6Comments · Source: IdentityServer/IdentityServer4

Is there any way I can remove "iat" claim from my id_token. Many clients started getting"iat is at a future date" error at callback.html. Is there any way I could turn this off please. I tried setting clockskew to higher number on oidc-client and that did not help.

Could you please help me resolve this issue.

Thanks!

question

Source

Krishna-teja

Most helpful comment

How far in the future is it? Have you checked that the clocks on the client machines are in sync (within a few mins)?

brockallen on 7 Jul 2017

❤2

All 6 comments

How far in the future is it? Have you checked that the clocks on the client machines are in sync (within a few mins)?

brockallen on 7 Jul 2017

❤2

Yes, I checked the client machines and it was around 5 - 20 mins between different clients. Once they synced it properly, it was fine. We have customers globally and I was surprised how many of them did not properly keep their clock in sync. So in order to fix this, I added a clockskew manually on callback.html now. But just something to think about in future to make this optional as the specs https://tools.ietf.org/html/rfc7519#section-4.1.6 says that it can be optional.

Krishna-teja on 7 Jul 2017

👍1

The OIDC protocol requires no more than 5m of clock skew between machines (which is the same requirement as kerberos).

brockallen on 7 Jul 2017

❤1

Oh. I did not know that. I set the clockskew for 15 mins which is a problem then. I think, I can just show a message to sync their clock if this issue arises. Thanks for your input.

Krishna-teja on 7 Jul 2017

I faced the same error in my project and this thread did help me resolve it by just setting the time on my laptop automatically.

Although it was strange, I haven't changed the time on my laptop for a few months and the project was working fine last week. But now I have just set the time on auto mode.