distribution/registry/auth
Marcus Martins db1bf93098
Add leeway to JWT nbf and exp checking
Adds a constant leeway (60 seconds) to the nbf and exp claim check to
account for clock skew between the registry servers and the
authentication server that generated the JWT.

The leeway of 60 seconds is a bit arbitrary but based on the RFC
recommendation and hub.docker.com logs/metrics where we don't see
drifts of more than a second on our servers running ntpd.

I didn't attempt to make the leeway configurable as it would add extra
complexity to the PR and I am not sure how Distribution prefer to
handle runtime flags like that.

Also, I am simplifying the exp and nbf check for readability as the
previous `NOT (A AND B)` with cmp operators was not very friendly.

Ref:
https://tools.ietf.org/html/rfc7519#section-4.1.5

Signed-off-by: Marcus Martins <marcus@docker.com>
2016-07-18 17:47:30 -07:00
..
htpasswd Merge pull request #1410 from aaronlehmann/failured 2016-02-01 19:20:35 -08:00
silly Update auth context keys to use constant 2016-01-28 17:02:09 -08:00
token Add leeway to JWT nbf and exp checking 2016-07-18 17:47:30 -07:00
auth.go Update auth context keys to use constant 2016-01-28 17:02:09 -08:00