Skip to content

Change or skip allowed time skew for ID token issue time validation#1033

Open
Mardaneus86 wants to merge 2 commits intoopenid:masterfrom
Mardaneus86:idtoken-time-skew
Open

Change or skip allowed time skew for ID token issue time validation#1033
Mardaneus86 wants to merge 2 commits intoopenid:masterfrom
Mardaneus86:idtoken-time-skew

Conversation

@Mardaneus86
Copy link

@Mardaneus86 Mardaneus86 commented Jan 4, 2024

Checklist

  • I read the Contribution Guidelines
  • I signed the CLA and WG Agreements
  • I ran, updated and added unit tests as necessary.
  • I verified the contribution matches existing coding style.
  • I updated the documentation if necessary.

Motivation and Context

Change aims to address issue in #830 by adding the ability to either disable or change the allowed time skew for the ID Token issued at time (iat). Changing the allowed time skew can be useful because the clock on some devices can go beyond the default of 10 minutes. The OIDC specs do not define a specific timeframe, and the default of 10 minutes is still used when the new options are not used.

Description

I followed a similar approach as #662 already did for skipping the issuer https check.

AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder()
    .setAllowedIssueTimeSkew(THIRTY_MINUTES_IN_SECONDS)
    .build()
AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder()
    .setSkipIssueTimeValidation(true)
    .build()

@Mardaneus86
Skip issue time validation or change the allowed time skew
4b214e9 
Allows to completely disable ID tokens issue time validation, or change the default of 10 minutes to a custom allowed time skew in seconds.
@Mardaneus86
Update documentation to change the allowed id token time skew
c488707
@brighthr-stanton
Copy link

brighthr-stanton commented Jan 16, 2024

This is a feature we've been waiting for for so long! Please review and accept, and we can move on from depending on v0.7.1 of the library :)

This was referenced Feb 26, 2024
Merged
Merged
@brighthr-stanton
Copy link

brighthr-stanton commented Feb 27, 2024

Hi repo maintainers :) , Any news on this? Have been waiting for a month.... @WilliamDenniss @iainmcgin @StevenEWright

@brighthr-stanton
Copy link

brighthr-stanton commented Mar 13, 2024

agologan I see you seem to be one of the maintainers now? forgive me if I've misunderstood that. Any response to this PR please? We have been waiting a long time for this to be fixed.

@sanduluca
Copy link

sanduluca commented Apr 19, 2024

Any news on this ?

@sanduluca sanduluca mentioned this pull request Apr 19, 2024
Open
@sanduluca
Copy link

sanduluca commented Jul 11, 2024

@agologan Can you check this PR please ?

@EngRajabi
Copy link

EngRajabi commented May 12, 2025
edited
Loading

On some mobile devices, users are required to manually set the time due to issues with the device’s time zone configuration—this is especially common with certain Chinese phones. Additionally, in some countries such as Iran, daylight saving time is inconsistently applied; it may be observed in some years and skipped in others.
Therefore, it would be beneficial to implement this feature to prevent user errors related to time settings.
please merge
@blundell @paulschreiber @iainmcgin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@dsolerma dsolerma dsolerma approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Mardaneus86 @brighthr-stanton @sanduluca @EngRajabi @dsolerma