HTTPJwtAuthenticator doesn't support jwt_clock_skew_tolerance_seconds configuration #5505
Description
What is the bug?
Current jwt auth implementation doesn't support clock skew configuration jwt_clock_skew_tolerance_seconds, as suggested by the documentation.
How can one reproduce the bug?
- Configure any
jwt_clock_skew_tolerance_secondsfor jwt http_authenticator. - Restart opensearch server
- Trigger a request that contains jwt token after expiration (just by a few seconds)
- Observe following error: (logging set to DEBUG)
io.jsonwebtoken.ExpiredJwtException: JWT expired 819 milliseconds ago at 2025-07-23T07:43:29.000Z. Current time: 2025-07-23T07:43:29.819Z. Allowed clock skew: 0 milliseconds.
The Allowed clock skew: 0 milliseconds suggest that there is no skew provided by the configuration to the jwt parser. Neither the default 30s (as mentioned in docs) nor our explicitly configured skew.
What is the expected behavior?
The value of jwt_clock_skew_tolerance_seconds should be used to configure clockSkewSeconds jwt parser in HTTPJwtAuthenticator.
What is your host/environment?
- OS: Ubuntu
- Version: Ubuntu 24.04.2 LTS, Opensearch 2.15
- Plugins: security plugin
I also prepared a naive PR configuring the clock skew and adding unit tests for this: #5506 , as a demonstration of the problem and possible solution.