OAuth token validation fails due to clock skew

[uwburn]

Bug Report

Description

Verification of OAuth token attached to requests fails due to skew between the verifying connector clock and the authorization server clock. This happens in particular if the authorization server clock is in the future in respect of the connector clock.

Expected Behavior

Connectors should be able to talk each other correctly, dealing with some amount of clock drift between connector and the authorization server.

Observed Behavior

Connectors experience errors in communication due to invalid tokens, e.g. exploring the catalog results in exception:

de.sovity.edc.utils.catalog.DspCatalogServiceException: {"@type":"dspace:CatalogError","dspace:code":"401","dspace:reason":"Token validation failed.","@context":{"dct":"https://purl.org/dc/terms/","edc":"https://w3id.org/edc/v0.0.1/ns/","dcat":"https://www.w3.org/ns/dcat/","odrl":"http://www.w3.org/ns/odrl/2/","dspace":"https://w3id.org/dspace/v0.8/"}}

Steps to Reproduce

Steps to reproduce the behavior:

1. Verify authorization server clock to be slightly in the future (e.g. 1 second)
2. Start from the example setup contained in docker-compose.yaml
3. Ensure to use ce images
4. Add configuration relevant to EDC OAuth + certificates for signing tokens and key aliases
5. docker-compose up to start everything
6. Open up the UI for one of the connectors
7. Navigate to catalog browser
8. See FAILED FETCHING CATALOG. error on the UI
9. See error in the connector logs:

de.sovity.edc.utils.catalog.DspCatalogServiceException: 
{"@type":"dspace:CatalogError","dspace:code":"401","dspace:reason":"Token validation failed.","@context":{"dct":"https://purl.org/dc/terms/","edc":"https://w3id.org/edc/v0.0.1/ns/","dcat":"https://www.w3.org/ns/dcat/","odrl":"http://www.w3.org/ns/odrl/2/","dspace":"https://w3id.org/dspace/v0.8/"}}

Context Information

I have experienced this while trying to follow Productive Deployment Guide, using Keycloak as DAPS.

The error sparks from EDC Connector class org.eclipse.edc.iam.oauth2.rule.Oauth2ExpirationIssuedAtValidationRule, checks, at line 54 in particular, should take into account skew between connector's and auth server's clocks.

Looking at EDC Connector issues, it looks like this has been fixed by eclipse-edc/Connector#3728, which is included in v0.5.0, but sovity extensions is still on v0.2.1.

[tmberthold]

Hello and thank you for opening the issue.

Yes, a colleague of ours (@richardtreier) has already addressed and fixed this in the core-edc and the fix was released with the core-edc version mentioned. In fact, we haven't migrated to this yet, I can only confirm that at this point.

I'll also link another colleague who takes care of planning our releases, maybe he can give a hint here when we'll migrate to the newer version of the core-edc v0.5.0 @AbdullahMuk .

[uwburn]

Hello again, thank you for looking into the issue.

Knowing that using core-edc v0.5.0 is on the roadmap it's good news!

[AbdullahMuk]

Consider as part of https://github.com/sovity/PMO-Software/issues/808 ?

[SebastianOpriel]

@efiege what is the status?