TJwtAbstract.Verify - Not before failed

cadnan · 2025-03-11 14:39:07

On some computers we get "not before failed" error when validating token from an OpenID Connect Identity Provider.
I assume this could be due to an NTP sync issue of the computer running mORMot application and the Identity provider issuing the token.

The following line did not help:

Verify(Token, jwt, [jrcNotBefore])

Any idea on how to have some "tolerance" in the code for this?

ab · 2025-03-11 20:52:46

Try to debug a little and find out what's wrong.

cadnan · 2025-03-12 14:24:25

Difficult to debug as this is a client environment, not possible to install delphi or anything like that. Also, it does not happen on every machine, and interestingly enough those machines that had problem yesterday are working fine today.. so typical..

However, one machine was still stating "not before failed" so I added my own UnixTimeUtc timestamps before and after calling Verify and then compare those with the nbf in token.
Result: it was always 1 sec difference!

So, on that particular machine (or who knows how many others) I always get a token that is "from the future" for that given machine.
This is why I was thinking if there is some sort of "delta" tolerance.

ab · 2025-03-12 18:28:14

The not before / not after have a tolerance range of more than 1 second, IIRC.

cadnan · 2025-03-17 08:42:01

I've found NotBeforeDelta (with 15 sec default) parameter within VerifyPayload procedure, but nothing similar is in the Verify procedure. Is there a reason for using one over another? Both are being tested in test.core.crypt.pas although no specific test for nbf.

The only thing I can see is that CheckAgainstActualTimestamp is not having any "delta" tolerance in:

    if jrcNotBefore in Jwt.claims then
      if not ToCardinal(Jwt.reg[jrcNotBefore], unix) or
         (nowunix < unix) then
      begin
        Jwt.result := jwtNotBeforeFailed;
        exit;
      end;

ab · 2025-03-17 17:20:11

It makes sense now.

Please try with
https://github.com/synopse/mORMot2/commit/d047caea4

There is a 30 seconds grace delay by default now.

cadnan · 2025-03-18 09:34:20

Great! Thanks Arnaud.. works as expected!

mORMot Open Source

#1 2025-03-11 14:39:07

TJwtAbstract.Verify - Not before failed

#2 2025-03-11 20:52:46

Re: TJwtAbstract.Verify - Not before failed

#3 2025-03-12 14:24:25

Re: TJwtAbstract.Verify - Not before failed

#4 2025-03-12 18:28:14

Re: TJwtAbstract.Verify - Not before failed

#5 2025-03-17 08:42:01

Re: TJwtAbstract.Verify - Not before failed

#6 2025-03-17 17:20:11

Re: TJwtAbstract.Verify - Not before failed

#7 2025-03-18 09:34:20

Re: TJwtAbstract.Verify - Not before failed

Board footer