Have to sleep in order for verify to work about firebase_id_token HOT 17 CLOSED

^ Unchecking and checking the checkbox above as @thornomad said it fixes the problem.

This is what usually happens when I leave my laptop in sleep mode overnight. The system clock seems to get skewed as a result.

from firebase_id_token.

I recently submitting #26 for some error raising abilities; and, after doing so, narrowed down the problem we are having with one developer machine to a JWT::InvalidIatError. It sounds like we might have the same clock syncing issue. Going to try out disabling the verify_iat flag, though I suspect this will do the trick.

I wonder if it is wisest just to disable the verification in development (not production)?

My local machine is ~ 45 seconds behind that of the server issuing the JWT, so it appears that the JWT iat is in the future, which is obviously invalid. The only way to solve this for me was to set verify_iat to false in FirebaseIdToken::Signature::JWT_DEFAULTS

@justin-rhoades - how did you verify that it was the local machine that had a poorly synchronized clock?

PS - can confirm resetting the system clock on the development computer (Mac) fixes the problem.

from firebase_id_token.

How are you downloading the certificates? Do you think it might be related with not having enough time for the certificates to be downloaded?

from firebase_id_token.

I have a local redis-server with stock config running and neither throwing Exceptions about the certs not being found.

I am getting the certs in there with the rake firebase:certificates:request

I have also done the .request and .request! in the action instead of the rake and same result with the sleep. It's so weird.. I am not even doing anything before the sleep

from firebase_id_token.

Hm, really odd. How did you discovered that adding a sleep would make it work? By chance? I'm taking a look at the code again 'cause its being a long time since I don't do anything here.

from firebase_id_token.

Yes desperate trial and error how I found it 👍 I originally had the .request above the sleep thinking what you did, that the certs were taking time / mistakingly being downloaded every time due to misconfiguration. But then even with the cert there from the rake, still need the sleep(2)

( 1 is not long enough )

from firebase_id_token.

Any progress on it? I had no time to replicate it here yet. LMK anything, I'll try to look at it this weekend.

from firebase_id_token.

Nothing yet, will let you know if I have any progress.

from firebase_id_token.

Well, when I use the remote redis that production will use, it does not happen at least 🤷‍♂️ It's still there locally but I can survive

from firebase_id_token.

Same issue here! It happens from time to time.

from firebase_id_token.

I haven't yet tested it here, but looking at the code, that's the part where the JWT verification is performed:

    def verify
      certificate = firebase_id_token_certificates.find(@kid)
      if certificate
        payload = decode_jwt_payload(@jwt_token, certificate.public_key)
        authorize payload
      end
    end

It may be returning nil 'cause the last if ( if certificate) wasn't true.

Here's the code for firebase_id_token_certificates.find(@kid):

    def self.find(kid)
      certs = new.local_certs
      raise Exceptions::NoCertificatesError if certs.empty?

      if certs[kid]
        OpenSSL::X509::Certificate.new certs[kid]
      end
    end

So there are indeed certificates at the Redis database, otherwise a Exceptions::NoCertificatesError would be raised. But it's not finding this certificate by its @kid (a.k.a. "key ID"). I'm not sure why.

@penguinwokrs do you have any clue about it? I know it's a long time since you don't contribute here (me too) but I would like to know your thoughts on it if possible.

Anyway, if someone has a solution (or anything really) feel free to post here or just to implement it yourself if you will.

from firebase_id_token.

I have the same issue as well while testing in my local environment. sleep(3) did work for me to be honest but not sure what is the issue!

from firebase_id_token.

@cyurtbil @fschuindt I was able to replicate this on my local machine, for me the issue is poorly synchronized clocks. My local machine is ~ 45 seconds behind that of the server issuing the JWT, so it appears that the JWT iat is in the future, which is obviously invalid. The only way to solve this for me was to set verify_iat to false in FirebaseIdToken::Signature::JWT_DEFAULTS

JWT_DEFAULTS = { algorithm: 'RS256', verify_iat: true }
# set verify_iat to false 
JWT_DEFAULTS = { algorithm: 'RS256', verify_iat: false }

from firebase_id_token.

@justin-rhoades Hmm, that's nice to know. Thank you for that. I think we can do that and perform a simpler iat verification ourselves. According to the Firebase documentation for verifying those tokens:

iat - Must be in the past. The time is measured in seconds since the UNIX epoch.

So if we can just make sure that this is indeed in the past, the system will still match the Firebase recommendations for verifying JTWs. And it might also fix this bug.

Any thoughts?

from firebase_id_token.

@fschuindt even if we were to verify iat with a custom implementation, we'd need to create something similar to what the jwt gem used to include, which is the concept of leeway for validating the iat. The reason for this is that if your machines time is out of sync with the issuing servers time, it's possible that the iat is in the future. We could do something like...

def valid_iat?(iat, leeway_in_seconds)
  (Time.now + leeway_in_seconds).to_f > iat.to_f
end

This concept was removed from them gem due to the JWT spec changing (see here jwt/ruby-jwt#319).

from firebase_id_token.

^ Unchecking and checking the checkbox above as @thornomad said it fixes the problem.

This is what usually happens when I leave my laptop in sleep mode overnight. The system clock seems to get skewed as a result.

I was running into the same issue about Invalid iat, and this work like a charm.
Thank you.

from firebase_id_token.

I've added a warning about this on README. Thank you, folks!

from firebase_id_token.