Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi. We’re using Hydra for oidc flows and use private_key_jwt as an authentication method. In the signed object, an iat claim is included. If any clients are at all ahead of the server time, the token request fails with “Token used before issued”. I see that the code in Fosite is commented as not supporting any clock skew. I’d be willing to try and help get this fixed. Are there deeper issues as to why this wasn’t handled?

Hello <@U030K988PGT>

The biggest issue was probably a lack of priority and if you would be willing to look into this :pray:
The best course is probably to open an issue in <https://github.com/ory/fosite> (i presume the change is in fosite),  discuss your changes with the core maintainers and then get hacking :gohack:

Thanks, I’ll do that. I can see where the clock skew needs to be applied in Fosite, but I think the skew should likely be configurable. Trying to figure out how to do that is a challenge (for me) right now.