Kunne ikke verifisere din oAuth2 token: too_early

It shouldn’t be – both the nbf and iat and the $timestamp that is used for the check are number of seconds from 1. jan 1970 – a “NumericDate” defined for the JWT and just the unix timestamp for the comparison. So there is no timezone to worry about.

It is possible that your servers’ clock is slightly off. We do have a 30 second “leeway” thing built in, but maybe that’s not enough for you here.

Could you try to log the value of the nbf, iat and $timestamp at the indicated location?

Also, does this happen *every* time, or just sometimes?

I logged the output of all 3 and it seems that “nbf” is null which is what is triggering the error.

{ "nbf": null, "iat": 1678798755, "timestamp": 1678798634 }

Method used:

        wp_die(json_encode(array('nbf' => $body['nbf'], 'iat' => $body['iat'], 'timestamp' => $timestamp), JSON_PRETTY_PRINT));

And it happens everytime, still have not got it to work.

• This reply was modified 2 years ago by Alex.
• This reply was modified 2 years ago by Alex.

Can confirm, nbf is missing in the token. I don’t get the same error though, but I’ll create a fix for it. It’ll be a couple of minutes though.

Wait; if the ‘nbf’ is simply missing, you should not have gotten the too_early. It should not have the value ‘null’, it must be numerical or missing. It is probably missing, which means that it was iat which triggered “too early”.

Your two values for iat and current time however translates like so in CET:

timestamp: 2023-03-14 13:57:14
iat      : 2023-03-14 13:59:15

So that means that you are actually two minutes into the future relative to Vipps, more than the 30 seconds of leeway we allow for.

If possible, try to see if you can adjust your server time (setting up NTP or something like that), since 2 minutes is quite a bit. If you cannot, we can add a hook that will allow you to modify the leeway before validation – but that’s not an ideal situation if your clock continues to diverge.

Keep in mind that this is on my local development server. It may work fine on my EC2 instance, but let me try to manually set the leeway to + 5 minutes and see if that fixes the problem. Give me a minute!

It works on my local machine when I extended the leeway to 300 seconds. I will test it on my production server and see if the problem persists. If it does, it would be nice to have a hook to change this value.

Ok. Can confirm that this was a problem on my end, my systemd-timesync service was not active so the local time had not been synced for a while. After fixing this, the plugin works as expected. Sorry for bothering you with this issue and thanks for the help. I appreciate the speed of response.

No problem of course – the 30 seconds here are really just a guess about what is appropriate, so feedback about it is interesting anyway. We are keeping the 30 seconds for now; it is possible after all to modify it in hooks running before the template-redirect; but if this were to be a recurring issue we’ll just add a filter for it.