This article explains the expected behavior caused by time discrepancies (clock skew) between a local system and the Okta server.
- Okta Sign in Widget
- okta-auth-js library
- Token Validation
- System Clock Skew
When an authentication flow involves an ID token, two validation scenarios can occur due to system clock discrepancies:
-
System Clock is Behind: The
maxClockSkewproperty in theokta-auth-jslibrary configures the maximum allowed difference, in seconds, between a client's clock and the server's clock for token validation. The default value is 300 seconds (five minutes).-
If the system's time is behind the server time but within this range, token validation succeeds. If the deviation is outside this range, it fails.
-
This property only affects validation when the system clock is behind the server time and does not apply when the system clock is ahead.
-
-
System Clock is Ahead: In this scenario, the validation check depends on the ID token's lifetime, which is 60 minutes by default.
-
If the system's time is advanced to a point within that 60-minute window, a validation error does not occur.
-
If the system's time is more than 60 minutes ahead, it will trigger the error "The JWT was issued in the future."
-
