Using auth0.js v9.12.0 clock drift tolerance seems lower or non-existant

[macpham]

Description

On the previous version of Auth0-js v9.11.3 we were able to login while having a clock drift of a few minutes, but on the new version of Auth0-js v9.12.0 this results in an error:

Reproduction

1. Use Auth0-js v9.12.0
2. Set your clock a little bit behind (3s created the problem, but previously 2+ minutes was OK)
3. Try to login
4. See this problem:
   

Using Auth0-js v9.11.3 the problem above does not occur.

Environment

• Version of this library used: v9.12.0
• Other relevant versions (language, server software, OS, browser): All browsers affected

[macpham]

I suspect a change in this file caused the problem: https://github.com/auth0/auth0.js/pull/1059/files#diff-2f11667c8f671044416e38e4ceb9d7c8R440 🔍

[azjgard]

We are experiencing the same issue after upgrading to v9.12.0 late last week.

In our case, a drift of just one second is triggering the error for our users.

[nicosabena]

Thanks for reporting this everyone. #1062 should fix this.

[stevehobbsdev]

v9.12.1 sets the default leeway to 60 seconds. Please let us know if you are still seeing this issue after upgrading.

[trosborn]

@stevehobbsdev I have a customer who says they are still getting this error after upgrading to auth0-js@9.12.1: "ISSUED AT (IAT) CLAIM ERROR IN THE ID TOKEN; CURRENT TIME "THU DEC 26 2019 10:19:12 GMT-0500 (EASTERN STANDARD TIME)" IS BEFORE ISSUED AT TIME "THU DEC 26 2019 10:19:18 GMT-0500 (EASTERN STANDARD TIME)"".

Is it possible for you to reopen this with just that information?

[lbalmaceda]

@trosborn 👋 That message is similar to the first one and it doesn't look like a minute has passed in between the start of the request and the reception of the response. Please double check that you're using the latest version mentioned by Steve above.

If the default of 60 seconds is not a good fit for your customer's use case, you can tune it by passing a higher value in the options. See this line