Issued At Claim Error

Hi,

I have a react app that is using the auth0 spa for user login.

Some of my users are receiving an error that prevents them from logging in.

Uncaught (in promise) Error: Issued At (iat) claim error in the ID token; current time is before issued at time

The time difference is about 5 seconds.

I believe the users are on a network that is using a proxy server, which might be causing the time difference.

Does the validation happen on the local machine? If so, there might be a time difference from the proxy server and the client machine.

Is there a way to allow some ‘room’ between the times to allow for this error? For example: a 10 second allowance between the times?

edit: I can see there is a leeway option to allow for slight time differences but the error message I have doesn’t match with the error messages I have found in auth0-spa-js.

Hi nmck,

leeway is used to account for the clock skew of JWT expiration, not the Issued At (iat) time.

The most probable reason of this error is the user’s machine is out of sync of time. You could check it by comparing the local time on the user’s machine with a time source on internet, such as https://www.timeanddate.com/
If there is an out of sync, the user needs to adjust their local machine’s time or configure NTP on their machine to sync time.

Hi @Guangjie,

Thanks for your reply.

I have seen this issue on two different machines (that are on the network with the proxy) which is why I initially thought it may be correlated to the proxy server.

I would doubt that both machines are out of sync, do you have any other thoughts that would cause this issue?

@nmck I had this issue happen to me yesterday. Looking at when you raised this issue I was certain it was an issue out of our control however, the users machine was indeed a minute slow. Which exceeded the leeway.

Good luck!

@mderrick thanks for the info, I’ll take another look at the affected machines.

Thanks!

Hi
If the reason is that the client machine is out of sync, what should I tell my end users?
That they need to sync their clock in order to authenticate?
Is that reasonable given that some of them aren’t IT guys? and the internet is a new thing for them…

Facing the same problem here, in my home connection (no proxies). I’m from Brazil and my colleagues in Netherlands didn’t notice that problem… my machine (windows 10) time has automatically date and time sync

Same issue:

“Issued At (iat) claim error in the ID token; current time “Thu Jan 09 2020 17:44:37 GMT+0000 (Greenwich Mean Time)” is before issued at time “Thu Jan 09 2020 17:44:38 GMT+0000 (Greenwich Mean Time)””

@Guangjie Asking users to adjust their time because their clock is 1 second off is not reasonable. Is there a way to provide leeway-like option for iat time?

I am having multiple users getting this issue, often for a several second discrepancy. Is there any solution to this? Asking each user to sync their clock for a time that shows correct down to the minute is simply not a realistic solution

Hey all, I have confirmed that ‘leeway’ option does effect iat expiration issues. I simply set leeway to 300 in my Auth0Lock options object:

new Auth0Lock(CLIENT_ID, DOMAIN, {
    leeway: 300
}

It seems like there was an issue with auth0-spa-js library. So, it was fixed with v1.6.2 (Release v1.6.2 · auth0/auth0-spa-js · GitHub).

Original issue - Issued At Claim Errors · Issue #320 · auth0/auth0-spa-js · GitHub

PS But I’m still wondering why official position of Auth0 team is “There is no issue and never been, fix your clocks”…

@dr_nikson thanks for the info, it looks like that will fix the issue I’m having with several users.

I’ll report back on this thread once I test it out with those users.