Why we use timestampSkew default value as 300 seconds in identity.xml, why not 0 seconds.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Why we use timestampSkew default value as 300 seconds in identity.xml, why not 0 seconds.

Dinali Dabarera
Hi All,

In our identity.xml the default timeStampScrew value is used as 300 seconds. Shouldn't this be 0 seconds?

Because when we are getting a token from password grant type again and again without a time delay, the expiry time of the token increases than its accepted value because of this equation we are using.  

expiry time = issuedTimeInMillis + validityPeriodMillis - (System.currentTimeMillis() - timestampSkew);

Since timestampSkew = 300 seconds, validityPeriodMillis = 3600 seconds,
therefore, expiry time = 3644 seconds which can not be happened.

Therefore, it is better to have the default timeStampScrew value as 0 seconds in order to get correct results.


Thanks!

--
Dinali Rosemin Dabarera
Software Engineer
WSO2 Lanka (pvt) Ltd.
Web: http://wso2.com/
Mobile: +94770198933



















_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Why we use timestampSkew default value as 300 seconds in identity.xml, why not 0 seconds.

Isura Karunaratne
Hi,

On Wed, May 31, 2017 at 1:23 PM, Asela Pathberiya <[hidden email]> wrote:


On Wed, May 31, 2017 at 1:08 PM, Farasath Ahamed <[hidden email]> wrote:

On Wed, May 31, 2017 at 12:28 PM, Thanuja Jayasinghe <[hidden email]> wrote:
Hi Dinali,

Consider the following calculation.

expiry time = issuedTimeInMillis + validityPeriodMillis - (System.currentTimeMillis() - timestampSkew)

So actually token is valid for (validityPeriodMillis + timestampSkew) seconds. This additional time is added to avoid the error occurred due to the time synchronization issues between servers.

If your servers are perfectly synced then you can use timestampSkew value as 0.

If we do not have any reasoning behind this 300s value the shouldn't our default value be 0 as Dinali has suggested? 

Yes.  Best practice is to syn server's time properly.  +1 keeping  0 as the default value.. 
We will fix this in IS 5.4.0. Created a Jira to track [1]

Thanks
Isura. 

 


Thanks,
Thanuja


On Wed, May 31, 2017 at 12:01 PM, Dinali Dabarera <[hidden email]> wrote:
Hi All,

In our identity.xml the default timeStampScrew value is used as 300 seconds. Shouldn't this be 0 seconds?

Because when we are getting a token from password grant type again and again without a time delay, the expiry time of the token increases than its accepted value because of this equation we are using.  

expiry time = issuedTimeInMillis + validityPeriodMillis - (System.currentTimeMillis() - timestampSkew);

Since timestampSkew = 300 seconds, validityPeriodMillis = 3600 seconds,
therefore, expiry time = 3644 seconds which can not be happened.

Therefore, it is better to have the default timeStampScrew value as 0 seconds in order to get correct results.


Thanks!

--
Dinali Rosemin Dabarera
Software Engineer
WSO2 Lanka (pvt) Ltd.
Web: http://wso2.com/
Mobile: <a href="tel:+94%2077%20019%208933" value="+94770198933" target="_blank">+94770198933





















--
Thanuja Lakmal
Associate Technical Lead
WSO2 Inc. http://wso2.com/ 
lean.enterprise.middleware
Mobile: +94715979891

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Thanks & Regards,
Asela

ATL
Mobile : <a href="tel:+94%2077%20762%205933" value="+94777625933" target="_blank">+94 777 625 933
             +358 449 228 979

http://soasecurity.org/
http://xacmlinfo.org/

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Isura Dilhara Karunaratne
Senior Software Engineer | WSO2
Mob : <a href="tel:+94%2077%20225%204810" value="+94772254810" target="_blank">+94 772 254 810




_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture