distribution/registry/auth/token
Marcus Martins db1bf93098
Add leeway to JWT nbf and exp checking
Adds a constant leeway (60 seconds) to the nbf and exp claim check to
account for clock skew between the registry servers and the
authentication server that generated the JWT.

The leeway of 60 seconds is a bit arbitrary but based on the RFC
recommendation and hub.docker.com logs/metrics where we don't see
drifts of more than a second on our servers running ntpd.

I didn't attempt to make the leeway configurable as it would add extra
complexity to the PR and I am not sure how Distribution prefer to
handle runtime flags like that.

Also, I am simplifying the exp and nbf check for readability as the
previous `NOT (A AND B)` with cmp operators was not very friendly.

Ref:
https://tools.ietf.org/html/rfc7519#section-4.1.5

Signed-off-by: Marcus Martins <marcus@docker.com>
2016-07-18 17:47:30 -07:00
..
accesscontroller.go auth.AccessController interface now uses distribution/context 2015-07-23 19:48:47 -07:00
stringset.go Move auth package under registry package 2015-02-10 17:34:04 -08:00
token.go Add leeway to JWT nbf and exp checking 2016-07-18 17:47:30 -07:00
token_test.go Add leeway to JWT nbf and exp checking 2016-07-18 17:47:30 -07:00
util.go fix some typos in source comments 2015-04-17 12:39:52 +00:00