error: client_assertion token has an expiration too far into the future

[gabrielsroka]

Okta node sdk sets expiration for 5 minutes:
https://github.com/okta/okta-sdk-nodejs/blob/895d48c9bf4e2e1d0d2fadcf0a84cc550e301851/src/jwt.js#L72-L84

whereas Python uses 60 minutes:

okta-sdk-python/okta/jwt.py

Lines 114 to 122 in 700c5f1

	expiry_time = issued_time + JWT.ONE_HOUR
	# generate unique JWT ID
	generated_JWT_ID = str(uuid.uuid4())
	# Create claims for token and create token
	claims = {
	'sub': client_id,
	'iat': issued_time,
	'exp': expiry_time,

i frequently get

okta-sdk-python - http_client - ERROR - {'message': "HTTP 401 {'error': 'invalid_client', 'error_description': 
'The client_assertion token has an expiration too far into the future.'}"}

errors on Python, but never on node. i set my clock using time.windows.com, but it's usually 1 sec fast

[gabrielsroka]

one hacky workaround is to modify the variable:

okta.jwt.JWT.ONE_HOUR -= 5 # allow 5 seconds of clock skew

[frozb]

Hi, this issue is open for more than a year. Is there a plan to fix this? We hit this error today when moving from API Tokens to PrivateKey authentication. As it is currently implemented, we don't feel comfortable using PrivateKey authentication in production.

As suggested above, a solution would be to reduce the expiry_time by a few seconds to allow for clock skew:

expiry_time = issued_time + JWT.ONE_HOUR - 5

Or even better, using 45-min instead of 1h.

Is there a reason why the expiry time is set for so long in the future?

[gabrielsroka]

is there a plan to fix this?

i'm guessing not. see also #375. there are dozens of open issues going back years.

we don't feel comfortable

i wouldn't feel comfortable using something that doesn't get bug fixes or is replaced every few years -- there was an old beta SDK that never went GA, then the current one, now they're doing it again -- that's 3 times in 4 years!?

i just use requests. it's not async, it's easier to use, and i don't have to worry about bugs being ignored.

i have example code. if you're interested, let me know.

[gabrielsroka]

i just submitted this PR #434

[frozb]

Thanks for the PR! Hopefully it gets reviewed soon.

Also, I appreciate the link on the SDK refresh. I wasn't aware of the plan for a new Python SDK. Our team will wait a bit longer before committing to writing our own.

[BinoyOza-okta]

This issue has been fixed and released in V2.9.12: https://github.com/okta/okta-sdk-python/releases/tag/v2.9.12