We have a web application Vuejs(front) and a api Nodejs(back).
We delegate authentication to a third party OpenIdProvider.
Users login in the front and get and access token.
This access token contains:
In my case when i log in at 11am i have:
In each request from VueJS to NodeAPI, the access token is passed and verified by the back.
I verify jwt token like this:
jwt.verify(token, publicKey, { algorithms: ['RS256'], audience: process.env.OP_CLIENT });
The publicKey is read from the OpenIdProvider jwks_uri and the audience is my provider client id.
The problem is that the time on my nodejs server is late, is it : 9:00
So when i use verify i get this error message:
NotBeforeError: jwt not active at /var/www/app/node_modules/jsonwebtoken/verify.js:143:21 at getSecret (/var/www/app/node_modules/jsonwebtoken/verify.js:90:14) at Object.module.exports [as verify] (/var/www/app/node_modules/jsonwebtoken/verify.js:94:10) at async authUser (/var/www/app/src/helpers/openid.js:87:19) { date: 2021-07-27T09:00:51.000Z }
I read that I could ignore the notBefore option but the problem remains the same on the validity period of the token ? because with a time difference between the issuing time of the provider and the time on my server it distorts the verification.
what do you recommend ? is this the correct way to verify my token from a provider?
Thanks Gary ! Finally i set ENV TZ="Europe/Paris" in my docker file and my backend is now at the good timezone.
I also added the deactivation of the notBefore check to avoid problems if it has a few minutes of lag
jwt.verify(token, publicKey, { ignoreNotBefore:true, algorithms: ['RS256'], audience: process.env.OP_CLIENT });