Allowance for server clock skew
Allowance for server clock skew
Submitted by svickers on Wed, 18-Nov-2020 18:30.
When verifying an incoming LTI message or service request, it is necessary to allow for some skew between the clocks on the sending and receiving servers. This is the case for both OAuth 1 signatures and JWTs in LTI 1.3. The Google library I use for OAuth 1 defaulted to an allowance of 5 minutes, but I have defaulted to using 3 minutes for my LTI 1.3 implementations. Are these reasonable and acceptable values to use even though, I assume, we can reasonably expect there to be very little difference (a few seconds at most) between server clocks? Is anyone willing to share the values they are using by way of comparison? Do the 1EdTech certification tests require a minimum allowance to be implemented?
Thanks.
Well we have 3 minutes too :)
Well we have 3 minutes too :)
Claude
Re: Allowance for server clock skew
Just wondering whether there is a minimum amount of allowed clock skew required for a product to be certified. If so, what amount is required? If not, does IMS have a recommendation for the amount to be allowed or does it consider none to be acceptable? Thanks.