Occasional 'The Token can't be used before...' error after Cognito authentication

Question

We are authenticating with AWS Cognito and using the resultant AccessToken for access to our Java API, which is using the Auth0 jwt library. We are occasionally seeing this error:

`InvalidClaimException: The Token can't be used before ...`

Where x is in the future, according to both our alerting software and our Slack instance where alerts are additionally sent to.

We've added an 'acceptLeeway' of 30seconds, which reduced the occurrences but we're still occasionally seeing errors - x is now always 30 seconds in the future.

Beyond increasing the leeway further, any thoughts?

Answer

Hello Tom,

Greetings from AWS !

The error indicates that, your application where the token is being used has not reached the time when the token is issued. To sync your application server's time with Amazon, please refer to document [1].

Further, I have found a relevant third-party Github repo issue [2] which may be helpful for you in this scenario. Please note that third-party resources are shared on best effort basis and AWS will not be able to vouch for the accuracy of the content being provided. Kindly ensure to test in your development environment before using in production.

--References--

[1] https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/

[2] https://github.com/auth0/java-jwt/issues/467

Occasional 'The Token can't be used before...' error after Cognito authentication

Contenuto pertinente