Update the default JWT leeway to 300s (#1135)

Copy the rationale for this decision from the CLI, where we had a deeper discussion and research phase. This is effectively backporting a decision from the CLI to the SDK.
globus · Feb 3, 2025 · 5a6e1fb · 5a6e1fb
1 parent cdc91d3
commit 5a6e1fb
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/changelog.d/20250203_125146_sirosen_update_default_jwt_leeway.rst b/changelog.d/20250203_125146_sirosen_update_default_jwt_leeway.rst
@@ -0,0 +1,7 @@
+Changed
+~~~~~~~
+
+- The SDK now defaults JWT leeway to 300 seconds when decoding ``id_token``\s;
+  the previous leeway was 0.5 seconds. Users should find that they are much
+  less prone to validation errors when working in VMs or other scenarios which
+  can cause significant clock drift. (:pr:`NUMBER`)
diff --git a/src/globus_sdk/services/auth/response/oauth.py b/src/globus_sdk/services/auth/response/oauth.py
@@ -203,7 +203,21 @@ def decode_id_token(
 
         jwt_params = jwt_params or {}
 
-        jwt_leeway: float | datetime.timedelta = 0.5
+        # default to 300 seconds
+        #
+        # valuable inputs to this number:
+        # - expected clock drift per day (6s for a bad clock)
+        # - Windows time sync interval (64s)
+        # - Windows' stated goal of meeting the Kerberos 5 clock skew requirement (5m)
+        # - ntp panic threshold (1000s of drift)
+        # - the knowledge that VM clocks typically run slower and may skew significantly
+        #
+        # NTP panic should be understood as a critical error; 1000s of drift is
+        # therefore too high for us to allow.
+        #
+        # 300s (5m) is therefore chosen to match the Windows desired maximum for
+        # clock drift, and the underlying Kerberos requirement.
+        jwt_leeway: float | datetime.timedelta = 300.0
         if "leeway" in jwt_params:
             jwt_params = jwt_params.copy()
             jwt_leeway = jwt_params.pop("leeway")