Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-41850

Add Leeway to JWT Signature Checking (LTI Advantage)

    XMLWordPrintable

    Details

    • 19 status:
      Resolved
    • 12 status:
      Please Merge
    • Test Plan:
      Hide

      There is no practical way to test this easily except to test for regressions in LTI 1.3.   If a developer really wanted to test this, you would set up a Tsugi server with a data 30 seconds ahead of Sakai and try LTI 1.3 round trips and have them fail before the patch and succeed after the patch.   Probably not worth the effort.

      Show
      There is no practical way to test this easily except to test for regressions in LTI 1.3.   If a developer really wanted to test this, you would set up a Tsugi server with a data 30 seconds ahead of Sakai and try LTI 1.3 round trips and have them fail before the patch and succeed after the patch.   Probably not worth the effort.

      Description

      Change the LTI 1.3 signature checking to allow 60 seconds clock skew when checking JSON Web Tokens.  Generally JWT default parsing allow a JWT time to be 300 seconds behind the current time inside Sakai.   But if the time in the JWT if ahead of Sakai's current time by even a single second, the default is to reject the signature.   A good practice is to allow a little "leeway" on both the "too late" and "too early".

      From https://tools.ietf.org/html/rfc7519

      "Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew."

      So far in testing, 60 seconds is enough to cover most cases.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                csev Charles Severance
                Reporter:
                csev Charles Severance
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Git Source Code