Hey team. Quick question… what is the lifetime of the jwt token? I think I read somewhere that it is 12 hours. Well, it seems to me to be 12 hours and 5 minutes.
So, Chris, I am going back through the tutorial for the Ziti host access that you wrote for me. The issue, is that the jwt token is only valid for 5 minutes! The problem is to do with how time is handled. I live in NZ, so I am GMT+12 hours. If you have given the token a 12hr 5 minute lifetime, then I loose 12 hours because the docker containers by default are GMT time. When I copy the file out, and put on a machine, suddenly the time jumps 12 hours and I get 5 minutes. Will be worse during DST where we go +13 hours, so it will be invalid as soon as I make it.
I am using the windows tunneler client.
I have set the TZ=“Pacific/Auckland” environment variable on the containers and tried again. However, the container is not taking it. Will figure this out and report back, just raising the question really. Options I see to fix:
a) When you import the token, do a check on the GMT time, and not host local time
b) Extend the jwt lifetime
b) When using the docker-compose put in a timezone location and modify the howto to put in the correct timezone for the location. This is not really an openziti problem, as this affects all docker containers.
Seems I could be the lucky one to run into this gem!
1 Like
OK - this just got wierder. I copied that file into ziti-edge-router docker container which is using UTC for it time, so would have expected this to work. Timestamp is 10:51 and it is saying that it is expired by 24m6s (localtime was ~11:24pm).
The JWT life is configurable. The OpenZiti controller config has the setting you wnat to change to make it longer:
edgeIdentity:
# duration - optional, default 5m
# The length of time that a Ziti Edge Identity enrollment should remain valid. After
# this duration, the enrollment will expire and no longer be usable.
duration: 5m
wrt: a.) NOTHING should be reliant on local time. if you’re observing that - it’s a bug for sure.
You’ll need to restart the controller for the new duration to take effect.
Thanks for the clarification. To assist those who come here later, where does that config file live?
Oooh… this is actually a really valid point specifically for the docker-compose environment. In the compose environment it’s trickier. For docker-compose, that will be located at /openziti/ziti-edge-controller.yaml
. Docker compose reuses the same volume for all the containers that get launched so you can get at these files from any of the containers.
For other the all local or host it anywhere quickstarts it’ll be be generally be in the folder ~/.ziti/quickstarts/$(hostname)/$(hostname).yaml
@TheLumberjack - Just doing some reading about 3rd party certs, as that is my next shiny object to play with. However, on this page: https://openziti.github.io/ziti/identities/overview.html?tabs=tabid-new-ca-ui%2Ctabid-new-identity-ui, under OTT, there is this sentence...
One time tokens are delivered from the Ziti Controller as a jwt and the token expires 24 hours after the identity is created.
This is in error, as the default is 5 minutes - correct?
Oh yeah… That should be stated differently. Might have been true back when that page was written, also might have been a typo even then.
The default is changing to 3 hours but it’s not released yet. Regardless that should read that it’s “configurable and set via the controller”… I’ll file a bug. While I’m in there, I’m going to file a ~bug~ enhancement to dynamically allow changing any/all config settings too.
Thanks!