Skip to content

ClockSkew configuration uses incorrect format (integer instead of TimeSpan string) #236

New issue
New issue
Open
Open
ClockSkew configuration uses incorrect format (integer instead of TimeSpan string)#236
@nitin-vavdiya

Description

@nitin-vavdiya
nitin-vavdiya
opened on Dec 25, 2025

Current Behavior

The ClockSkew value in appsettings.json under JwtBearerOptions.TokenValidationParameters is set as an integer (60000):

"TokenValidationParameters": {
  "ClockSkew": 60000
}

Ref:

ssi-dim-middle-layer/src/web/Dim.Web/appsettings.json

Line 35 in 48867fe

"ClockSkew": 600000

This value is incorrectly parsed by .NET's configuration binding. When binding to TimeSpan, a plain integer is interpreted as days, resulting in an extremely large clock skew (~164 years) instead of the intended 60 seconds or 1 minute.

Expected Behavior

ClockSkew should be configured as a valid TimeSpan string format that .NET can correctly parse:

"TokenValidationParameters": {
  "ClockSkew": "00:01:00"
}

This ensures the clock skew is properly set to 1 minute, allowing for reasonable tolerance when validating token expiration times.

Steps To Reproduce

  1. Create a token using keycloak token API
  2. Wait for token expiry + 10-15 mins
  3. Make an API call with an expired token

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions