Consider lowering the ClockSkew in TokenValidator
AndersAbel opened this issue · 1 comments
The TokenValidator
uses the default ClockSkew
of 5 minutes when validating JWTs. Having a generous clock skew is meant to be forgiving to clients that have their system clock out of sync. But in IdentityServer we only validates tokens that were issued by IdentityServer itself. It's the same clock that issued the token that validates it. We could do with a (near)-zero ClockSkew.
The only time a ClockSkew would be relevant to have is if there's a cluster and the times in the cluster are not in sync. But if the clocks in your cluster is more than a few seconds off there's a problem to your intrastructure.
I suggest setting the ClockSkew to 5 seconds in the TokenValidator
Perhaps we add a new option for this value.