Oidc-client-js: Clients with incorrect system clock, are not validated

Created on 18 Dec 2017  路  3Comments  路  Source: IdentityModel/oidc-client-js

We had an issue with a customer that weren't able to navigate to the checkout of our site. He had the following error in the console:

image

It seemed that the token was valid based on what I could see in the data being passed in the URL, but upon further investigation, it seemed that the client machine system clock was off by one hour, making the token invalid on his machine.

I can see that https://github.com/IdentityModel/oidc-client-js/blob/dev/src/JoseUtil.js ln 71 uses Date.now() unless a now is passed to the function. Which it is not (https://github.com/IdentityModel/oidc-client-js/blob/dev/src/ResponseValidator.js ln 293).

So I guess this isn't a bug in the framework, but still a situation that we would like to handle somehow. Would it be possible to get the clock from somewhere trusted? We're not exactly sure how to handle this.

The checkout is an SPA using the implicit flow.

question
Source
picture tomeinar

All 3 comments

it seemed that the client machine system clock was off by one hour

The spec assumes a correct clock, typically off by no more than 5m.

brockallen picture brockallen on 18 Dec 2017

Thank you for the very swift response. So no, there is nothing we can do about it?

tomeinar picture tomeinar on 18 Dec 2017
👍1

Fix their clock :)

brockallen picture brockallen on 18 Dec 2017
👎2 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

iXmonvi33 picture iXmonvi33  路  4Comments
pawepaw picture pawepaw  路  3Comments
bialabs picture bialabs  路  3Comments
mode777 picture mode777  路  3Comments
rmja picture rmja  路  3Comments