Skip to content

chore: Issue 2 seconds in the past due to clock skew #378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sanderPostma wants to merge 1 commit into from
Closed

chore: Issue 2 seconds in the past due to clock skew #378

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 4 additions & 6 deletions packages/oid4vci-issuer/src/functions.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ import { Resolvable } from 'did-resolver'
import { jwtDecode } from 'jwt-decode'
import { IIssuerOptions, IRequiredContext } from './types/IOID4VCIIssuer'

const CLOCK_SKEW_ISSUANCE = 2 // Clock drift on Android is typically up to 2000ms, so we issue 2 seconds in the past
Copy link
Contributor

@BtencateSphereon BtencateSphereon Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i cannot find any proof of this, whjere did you find this info?


export function getJwtVerifyCallback({ verifyOpts }: { verifyOpts?: JWTVerifyOptions }, _context: IRequiredContext) {
return async (args: { jwt: string; kid?: string }): Promise<JwtVerifyResult> => {
const resolver = getAgentResolver(_context, {
Expand Down Expand Up @@ -193,11 +195,7 @@ export async function getAccessTokenSignerCallback(
return Promise.reject(Error('No algorithm found in identifier JWK'))
}

return await createJWT(
jwt.payload,
{ signer, issuer },
{ ...jwt.header, ...(kidHeader && { kid: kidHeader }), typ: 'JWT', alg },
)
return await createJWT(jwt.payload, { signer, issuer }, { ...jwt.header, ...(kidHeader && { kid: kidHeader }), typ: 'JWT', alg })
}

return accessTokenSignerCallback
Expand Down Expand Up @@ -272,7 +270,7 @@ export async function getCredentialSignerCallback(
sdJwtPayload.iss = issuer
}
if (sdJwtPayload.iat === undefined) {
sdJwtPayload.iat = Math.floor(new Date().getTime() / 1000)
sdJwtPayload.iat = Math.floor(new Date().getTime() / 1000) - CLOCK_SKEW_ISSUANCE
}

let disclosureFrame
Expand Down
Loading