#1 2025-03-11 14:39:07

cadnan
Member
From: Sweden
Registered: 2020-09-22
Posts: 20

TJwtAbstract.Verify - Not before failed

On some computers we get "not before failed" error when validating token from an OpenID Connect Identity Provider.
I assume this could be due to an NTP sync issue of the computer running mORMot application and the Identity provider issuing the token.

The following line did not help:

Verify(Token, jwt, [jrcNotBefore])

Any idea on how to have some "tolerance" in the code for this?

Offline

#2 2025-03-11 20:52:46

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,935
Website

Re: TJwtAbstract.Verify - Not before failed

Try to debug a little and find out what's wrong.

Offline

#3 2025-03-12 14:24:25

cadnan
Member
From: Sweden
Registered: 2020-09-22
Posts: 20

Re: TJwtAbstract.Verify - Not before failed

Difficult to debug as this is a client environment, not possible to install delphi or anything like that. Also, it does not happen on every machine, and interestingly enough those machines that had problem yesterday are working fine today.. so typical..

However, one machine was still stating "not before failed" so I added my own UnixTimeUtc timestamps before and after calling Verify and then compare those with the nbf in token.
Result: it was always 1 sec difference!

So, on that particular machine (or who knows how many others) I always get a token that is "from the future" for that given machine.
This is why I was thinking if there is some sort of "delta" tolerance.

Offline

#4 2025-03-12 18:28:14

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,935
Website

Re: TJwtAbstract.Verify - Not before failed

The not before / not after have a tolerance range of more than 1 second, IIRC.

Offline

#5 2025-03-17 08:42:01

cadnan
Member
From: Sweden
Registered: 2020-09-22
Posts: 20

Re: TJwtAbstract.Verify - Not before failed

I've found NotBeforeDelta (with 15 sec default) parameter within VerifyPayload procedure, but nothing similar is in the Verify procedure. Is there a reason for using one over another? Both are being tested in test.core.crypt.pas although no specific test for nbf.

The only thing I can see is that CheckAgainstActualTimestamp is not having any "delta" tolerance in:

    if jrcNotBefore in Jwt.claims then
      if not ToCardinal(Jwt.reg[jrcNotBefore], unix) or
         (nowunix < unix) then
      begin
        Jwt.result := jwtNotBeforeFailed;
        exit;
      end;

Offline

#6 2025-03-17 17:20:11

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,935
Website

Re: TJwtAbstract.Verify - Not before failed

It makes sense now.

Please try with
https://github.com/synopse/mORMot2/commit/d047caea4

There is a 30 seconds grace delay by default now.

Offline

#7 2025-03-18 09:34:20

cadnan
Member
From: Sweden
Registered: 2020-09-22
Posts: 20

Re: TJwtAbstract.Verify - Not before failed

Great! Thanks Arnaud.. works as expected!

Offline

Board footer

Powered by FluxBB