Accounting for clock skew for nbf claim when issueing JWT tokens

[rasander]

Hi.

I'm facing issues because there is a small system time difference in our identityserver application and some of our partner APIs.

The partners JWT validation does not handle clock skew. And in this case they sometimes fails the validation because their system time is lower than nbf (or iat) claims.

Is there a way to centrally compensate for this when issueing access_tokens? Eg always setting nbf/iat claims to 5 sec less than current system time.

[wcabus]

Unfortunately, there are no settings available to change the nbf/iat claims for generated tokens.

You could work around this problem by implementing a custom token creation service by overriding the DefaultTokenCreationService class and apply the clock skew on your end, perhaps even only applying for specific clients or based on client properties.

To do this, you'd only need to override the CreatePayloadAsync method to alter the nbf and iat values in the payload dictionary after calling token.CreateJwtPayloadDictionary(Options, Clock, Logger).