IDP login issue if user's time is not 'Auto set' and it's wrongly set in system

[amarbolegaonkar]

Describe the bug
Hi @manfredsteyer , I hope this message finds you well.
We have identified an issue related to token expiration affecting a specific user. If the user's system time is not set to 'Auto set' and is inaccurately configured (e.g., 10 minutes behind the current time), the user is unable to log in and encounters a blank screen with an error message indicating "Token has expired," as illustrated in the attached image.

To Reproduce
Steps to reproduce the behavior:

1. Open 'Date & Time' settings
2. Disable 'Auto Set'
3. Rollback current time to 10 minutes ( i.e. 10 minutes less than current time).
4. If user try to login it's stuck in blank screen.

Additional information:

• OS: Windows 10
• Browser chrome (Version 128.0.6613.113)
• "angular-oauth2-oidc": "^13.0.1",
• "angular-oauth2-oidc-jwks": "^13.0.1"
• Angular version : 12.2.11

Please provide me solution, if it's already fixed. I need to solve it asap.

Your assistance in addressing this matter would be greatly appreciated.

[aaronclawrence]

We have this issue too. I am considering what to do about it.

I think that the id token validity checks are basically pointless. Or maybe they are nice to have for security, but not practical in mass market situations where the client clock cannot be guaranteed. I noticed that Auth0, another OAuth library, recently did a change along these lines

So I'm thinking of basically disabling them, perhaps by adding a config flag.

[aaronclawrence]

On further thought, the problem is reversed. The point of these checks is to validate the client clock, because an accurate clock is required for protection against replay attacks. The actual "validity" of the id token isn't the important part. So disabling it is not a great idea.