API Gateway JWT verification nbf and exp fields and tolerance

Hello

I would like to verify JWT tokens on the API Gateway that are issued by an external authorization server. What I find that because the API Gateway time server is slightly out of sync with the external authorization server, sometimes the token nbf is rejected. If I make a second API request with the same token, the JWT instance is verified.

Is there a way to configure the API Gateway to be more “tolerant” to the nbf and exp fields in the JWT token? I would like say a minute of tolerance either way.

Much appreciated if there are any suggestions.

Regards,

Yunus Aswat.

What product/components do you use and which version/fix level?

API Gateway 10.7

Do you get any error messages? Please provide a full error message screenshot and log file.

2022-03-24 09:34:53 CET [YAI.0003.8887D] (tid=388) [default][BEDEVESBAPI11][APIGW:][POL:evaluatePolicy]I—> Debug: Not before validation failed

Have you installed latest fixes for the products

10.7.0.13.418

Hi Yunus,
It is preferable to sync API Gateway Server to your network time.

Regards,
Praba.

Hello Praba,

This is not an acceptable solution. The setup is API Gateway On-Premise. External website hosted in Azure obtains a token from Azure ADB2C and makes a call to API Gateway. API Gateway has to verify the token based on the External authorization server (i.e. Azure ADB2C) that is configured.

Microsoft do not publish time server information for ADB2C. Therefore we cannot sync API Gateway against the same time server that Microsoft uses for its ADB2C solution. It must be accepted that there is always a slight variation in timing between API Gateway and Azure ADB2C.

Please advise.

Yunus Aswat.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.