DuendeSoftware/IdentityServer

Consider lowering the ClockSkew in TokenValidator

AndersAbel opened this issue · 1 comments

The TokenValidator uses the default ClockSkew of 5 minutes when validating JWTs. Having a generous clock skew is meant to be forgiving to clients that have their system clock out of sync. But in IdentityServer we only validates tokens that were issued by IdentityServer itself. It's the same clock that issued the token that validates it. We could do with a (near)-zero ClockSkew.

The only time a ClockSkew would be relevant to have is if there's a cluster and the times in the cluster are not in sync. But if the clocks in your cluster is more than a few seconds off there's a problem to your intrastructure.

I suggest setting the ClockSkew to 5 seconds in the TokenValidator

Perhaps we add a new option for this value.