Comments (6)
clock skew = tolerance for the token expiration to deal with differences in the issuer time and consumer time and thus specifies the allowed time difference between the server and client clocks -> was set to 0 milliseconds here, so issuer and consumer need to have exactly the same time synchronized
sorry for closing and opening, used GitHub Shortcuts by mistake
from ids-messaging-services.
Hi Tim, I had a second look into the logs. It seems that the connector is complaining about its own token. Could it be that before sending a request to another connector it gets its own token from the DAPS, checks it and realizes that the token is too old? In this case there is a clock skew of 7 seconds between the connector and the DAPS.
from ids-messaging-services.
Hi, the +7 seconds then fit to the log message from above difference of 7343 milliseconds
.
I am not aware that we do a validation, however I can find the following reference in the DAPS specification regarding sending the request token for a DAT to the DAPS at Request token that is handed in at DAPS side: "If the system time [of the connector] is not in synch with the DAPS, the request token will be rejected (e.g., nbf [not before] is in the future)."
from ids-messaging-services.
Hi, after checking the logs again I realized that the failing communication (as stated at the beginning) had another reason. It seems that the clock skew error is not a real error. I see that after the error message the AisecTokenManagerService is downloading a new token which works.
My explaination for the error is the following now. Since the job is running every hour I assume that the token has a validity of 1h (which seems quite long). When the job starts again it checks the old token it has cached and realizes that the token is too old. It throws an error message and handles the situation by downloading a new token.
But since the situation is already handled (because it is expected that the token can be expired), no error message should be thrown in this case.
from ids-messaging-services.
If it should be only about the pure log message, then we cannot easily prevent it, since it is not thrown by the Dataspace Connector itself or the Messaging-Services at all.
To read the claims of the cached DAT to get the expiration we use the Jwts.parser() (io.jsonwebtoken.Jwts), which unfortunately checks before us whether the tokenvalue is valid at all. For example, if it has expired, the parser throws an ExpiredJWTException on the one hand and logs a message that we cannot control on the other. We catch the exception and get a new token or in case of no exception we execute our own validation afterwards and then get a new one depending on the result.
The only way without this log would be to not use the parser at all at this point. For this we would have to read the claims directly when we receive the DAT from the DAPS and save them additionally to the complete JWT, such as the info of the expiration date, which should still be valid directly after receipt. By that we would be able to access the info directly when checking if the DAT has expired instead of having to re-read the claims and using the parser.
from ids-messaging-services.
(have implemented the solution to also cache the expiration date directly after fetching the DAT next to the DAT itself, instead of reading the claims via the parser every time a message is sent and thus running into the error-log)
from ids-messaging-services.
Related Issues (20)
- Validate gzip support
- Read KID from DAT
- Validate the incoming TLS connection against the incoming DAT HOT 6
- infomodel artifacts repository pom id and naming HOT 1
- Add leeway for expiration of cached DAT HOT 1
- Maven Repositories HOT 1
- referringCheck Object equals URI
- Error message instead of NPE if ConfigProperties missing
- Change groupId to follow naming conventions
- Introduce Log-Codes for info-level
- test IDSA repo
- Log message if connector certificate is no longer valid
- Version 7.0.0 not available HOT 1
- Fix Component Scan example in Readme V7.0.0
- IAIS EIS dependencies HOT 5
- Set publicKey dynamically based on IDS certificate from connected keystore HOT 1
- Update Infomodel and Serializer HOT 5
- Different repository locations in README and Wiki, but none can be reached HOT 6
- IAIS Maven repository unreachable due to timeout
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ids-messaging-services.