Auth0 Home Blog Docs

Getting invalid token error due to the token being issued in the future

token
invalid

#1

I get this error message in some computers while in others everything works fine:

invalid token the token was issued in the future

I tried adding leeway parameter but it doesn’t help. I’m using Auth0.js in a SPA.


#2

That may happen if the maximum leeway allowed is not sufficient to counterbalance the time synchronization issue in the client computer that is performing the validation. Given that for SPA’s the validation will run on the client machine outside of your control it’s not feasible to guarantee proper time synchronization besides letting the user know that the failure was related to issues with their computer clock.

The latest version of the library that performs the ID token validation will no longer perform the exact same validation associated with this error so in the future this will no longer be an issue. However, until the upstream libraries that make use of the common library are not updated and released this will still occur if the client machine time is so off that the leeway can’t compensate for that.

When using Auth0.js directly you should be able to control if validation occurs or not through this option in the parseHash method. You would still need to do the validation yourself, but you could now be more lenient in terms of time.

When using Lock a possible alternative would be to change the response mode being used so that the authentication response is not included as part of the redirect URL fragment (which is validated automatically) and instead delivered to the server-side using a form POST. However, this would require that you would then do the validation yourself and it would significantly change the way the client application needs to be implemented so it may not be an option.


#3

I’m using Auth0.js
What is the version number with the fix for this issue?
Or, if it’s not out yet, when is it expected?
Thanks


#4

I’m using Auth0.js
What is the version number with the fix for this issue?
Or, if it’s not out yet, when is it expected?
Thanks


#5

According to this, version 8.8.0 include the updated version of the dependent library so you may want to test with that one.


#6