Comments (17)
^ Unchecking and checking the checkbox above as @thornomad said it fixes the problem.
This is what usually happens when I leave my laptop in sleep mode overnight. The system clock seems to get skewed as a result.
from firebase_id_token.
I recently submitting #26 for some error raising abilities; and, after doing so, narrowed down the problem we are having with one developer machine to a JWT::InvalidIatError
. It sounds like we might have the same clock syncing issue. Going to try out disabling the verify_iat
flag, though I suspect this will do the trick.
I wonder if it is wisest just to disable the verification in development (not production)?
My local machine is ~ 45 seconds behind that of the server issuing the JWT, so it appears that the JWT
iat
is in the future, which is obviously invalid. The only way to solve this for me was to setverify_iat
to false inFirebaseIdToken::Signature::JWT_DEFAULTS
@justin-rhoades - how did you verify that it was the local machine that had a poorly synchronized clock?
PS - can confirm resetting the system clock on the development computer (Mac) fixes the problem.
from firebase_id_token.
How are you downloading the certificates? Do you think it might be related with not having enough time for the certificates to be downloaded?
from firebase_id_token.
I have a local redis-server with stock config running and neither throwing Exceptions about the certs not being found.
I am getting the certs in there with the rake firebase:certificates:request
I have also done the .request and .request! in the action instead of the rake and same result with the sleep. It's so weird.. I am not even doing anything before the sleep
from firebase_id_token.
Hm, really odd. How did you discovered that adding a sleep would make it work? By chance? I'm taking a look at the code again 'cause its being a long time since I don't do anything here.
from firebase_id_token.
Yes desperate trial and error how I found it 👍 I originally had the .request above the sleep thinking what you did, that the certs were taking time / mistakingly being downloaded every time due to misconfiguration. But then even with the cert there from the rake, still need the sleep(2)
( 1 is not long enough )
from firebase_id_token.
Any progress on it? I had no time to replicate it here yet. LMK anything, I'll try to look at it this weekend.
from firebase_id_token.
Nothing yet, will let you know if I have any progress.
from firebase_id_token.
Well, when I use the remote redis that production will use, it does not happen at least 🤷♂️ It's still there locally but I can survive
from firebase_id_token.
Same issue here! It happens from time to time.
from firebase_id_token.
I haven't yet tested it here, but looking at the code, that's the part where the JWT verification is performed:
def verify
certificate = firebase_id_token_certificates.find(@kid)
if certificate
payload = decode_jwt_payload(@jwt_token, certificate.public_key)
authorize payload
end
end
It may be returning nil
'cause the last if
( if certificate
) wasn't true.
Here's the code for firebase_id_token_certificates.find(@kid)
:
def self.find(kid)
certs = new.local_certs
raise Exceptions::NoCertificatesError if certs.empty?
if certs[kid]
OpenSSL::X509::Certificate.new certs[kid]
end
end
So there are indeed certificates at the Redis database, otherwise a Exceptions::NoCertificatesError
would be raised. But it's not finding this certificate by its @kid
(a.k.a. "key ID"). I'm not sure why.
@penguinwokrs do you have any clue about it? I know it's a long time since you don't contribute here (me too) but I would like to know your thoughts on it if possible.
Anyway, if someone has a solution (or anything really) feel free to post here or just to implement it yourself if you will.
from firebase_id_token.
I have the same issue as well while testing in my local environment. sleep(3) did work for me to be honest but not sure what is the issue!
from firebase_id_token.
@cyurtbil @fschuindt I was able to replicate this on my local machine, for me the issue is poorly synchronized clocks. My local machine is ~ 45 seconds behind that of the server issuing the JWT, so it appears that the JWT iat
is in the future, which is obviously invalid. The only way to solve this for me was to set verify_iat
to false in FirebaseIdToken::Signature::JWT_DEFAULTS
JWT_DEFAULTS = { algorithm: 'RS256', verify_iat: true }
# set verify_iat to false
JWT_DEFAULTS = { algorithm: 'RS256', verify_iat: false }
from firebase_id_token.
@justin-rhoades Hmm, that's nice to know. Thank you for that. I think we can do that and perform a simpler iat
verification ourselves. According to the Firebase documentation for verifying those tokens:
iat - Must be in the past. The time is measured in seconds since the UNIX epoch.
So if we can just make sure that this is indeed in the past, the system will still match the Firebase recommendations for verifying JTWs. And it might also fix this bug.
Any thoughts?
from firebase_id_token.
@fschuindt even if we were to verify iat
with a custom implementation, we'd need to create something similar to what the jwt
gem used to include, which is the concept of leeway
for validating the iat
. The reason for this is that if your machines time is out of sync with the issuing servers time, it's possible that the iat
is in the future. We could do something like...
def valid_iat?(iat, leeway_in_seconds)
(Time.now + leeway_in_seconds).to_f > iat.to_f
end
This concept was removed from them gem due to the JWT spec changing (see here jwt/ruby-jwt#319).
from firebase_id_token.
^ Unchecking and checking the checkbox above as @thornomad said it fixes the problem.
This is what usually happens when I leave my laptop in sleep mode overnight. The system clock seems to get skewed as a result.
I was running into the same issue about Invalid iat
, and this work like a charm.
Thank you.
from firebase_id_token.
I've added a warning about this on README. Thank you, folks!
from firebase_id_token.
Related Issues (20)
- redis_cache_store conflict HOT 7
- I want to write a test easily HOT 1
- Add test mode document HOT 2
- Fix the Code Climate test coverage report HOT 6
- Difficulties to run tests HOT 1
- Error calling FirebaseIdToken.test! on 2.3.1 HOT 4
- Running the gem without Redis? HOT 3
- Verifying payload['email_verified']
- Dynamic Project Ids HOT 1
- FirebaseIdToken::Signature.verify(token) returns nil, however the certificate does exist HOT 3
- redis should not initiated on configuration HOT 2
- unable to decode a valid token (used for firebase google sign in) HOT 1
- New caching doesn't honor request! calls HOT 6
- Doc suggestion for tests HOT 1
- [Feature] Support decoding unsigned tokens from firebase emulator HOT 2
- SSL_connect Failure for Heroku Redis 6 Premium HOT 2
- Rather than auto update certs, or a cron job. consider Rails.cache.fetch? HOT 13
- [advice] redis fatal HOT 4
- FirebaseIdToken::Signature.verify(token) returns nil for newly issued tokens HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from firebase_id_token.