jwt parser not accounting for clock skew
dInquisitor opened this issue · comments
When testing out the supertokens exploratory project, I kept getting a "Token used before issued" error with Google sign in/up.
It turns out that the version of the golang-jwt package (v4) being used for oauth claims validation does not account for clock skew between my server and IdP server which caused the oauth token to be apparently issued 1 second after it's used here.
The current version (v5) now accounts for clock skew, so is it possible to consider upgrading to the new version?
The only dependency seems to be keyfunc, which also only needs a version bump as far as I can tell.
Hi @dInquisitor
Thanks for the issue! The migration guide for golang-jwt seems pretty extensive so we will need time to evaluate all the changes needed and possible side effects of moving to v5. We will add it to our pipeline and get around to this as soon as we can. Leaving this open so you can keep track of progress on this
thank you!
This has been released in version >= 0.16.0 of the golang SDK.