Summary
JWT verification currently uses default VerificationOptions (no time tolerance) for both key-pair auth and JWKS auth. This means any clock skew between client and server — even 1 second — causes iat (issued-at) validation to reject otherwise valid tokens.
Proposal
Add a 5-second time_tolerance to VerificationOptions in both:
src/query/users/src/jwt/key_pair.rs (verify_token_with_key)src/query/users/src/jwt/authenticator.rs (JWKS verification)
5 seconds is the industry standard (Snowflake, most OAuth implementations) and covers normal NTP clock drift without being overly permissive.
Context
Introduced during key-pair auth implementation (#19786), but applies equally to existing JWKS JWT auth.
Summary
JWT verification currently uses default
VerificationOptions(no time tolerance) for both key-pair auth and JWKS auth. This means any clock skew between client and server — even 1 second — causesiat(issued-at) validation to reject otherwise valid tokens.Proposal
Add a 5-second
time_tolerancetoVerificationOptionsin both:src/query/users/src/jwt/key_pair.rs(verify_token_with_key)src/query/users/src/jwt/authenticator.rs(JWKS verification)5 seconds is the industry standard (Snowflake, most OAuth implementations) and covers normal NTP clock drift without being overly permissive.
Context
Introduced during key-pair auth implementation (#19786), but applies equally to existing JWKS JWT auth.