Add a JWTLeeway for LTI 1.3 JWT validation.

drgrice1 · drgrice1 · commit 306c3139fc90 · 2025-08-20T14:25:58.000-05:00
This is the maximum number of seconds that exp and iat values in the JWT
sent with a launch request are allowed to be in the future relative to
the current time on the webwork2 server.  The Crypt::JWT module by
default uses a value of 0 for this, meaning that the iat and exp values
in the token must be before the current time on the webwork2 server.

This may be why many are experiencing issues with JWT tokens failing to
validate, and is due to the clock on the LMS server being ahead of the
clock on the webwork2 server. Generally such issues can be resolved by
synchronizing clocks, but in some cases a small leeway may be needed.
diff --git a/conf/authen_LTI_1_3.conf.dist b/conf/authen_LTI_1_3.conf.dist
@@ -116,6 +116,19 @@ $LTI{v1p3}{AuthReqURL}      = '';
 # don't pile up in the database.
 $LTI{v1p3}{StateKeyLifetime} = 60;    # in seconds
 
+# When a LTI 1.3 launch request occurs the JWT in the request is decoded and the exp and iat in
+# the token are validated.  The expectation is that the iat and exp values are before (less
+# than) the current time on the webwork2 server plus the JWTLeeway, and if they are greater than
+# the current time plus the JWTLeeway then the JWT fails to validate.  So the JWTLeeway is the
+# maximum allowed time in seconds that the exp and iat values in the token are allowed to be
+# after the current time.  If the JWTs in these launch requests are failing to validate, then
+# increase this value to allow for a larger difference between the exp and iat values in the JWT
+# and the current time. This is usually caused by the clock on the LMS server being ahead of the
+# clock on the webwork2 server.  Generally, a small leeway may be needed, but if the clock on
+# the LMS server is too far ahead of the clock on the webwork2 server, then steps should be
+# taken to synchronize the clocks.
+$LTI{v1p3}{JWTLeeway} = 0;    # in seconds
+
 ################################################################################################
 # LTI 1.3 LMS Roles Mapped to WeBWorK Roles
 ################################################################################################
diff --git a/lib/WeBWorK/ContentGenerator/LTIAdvantage.pm b/lib/WeBWorK/ContentGenerator/LTIAdvantage.pm
@@ -367,6 +367,7 @@ sub extract_jwt_claims ($c) {
 		verify_aud => $ce->{LTI}{v1p3}{ClientID},
 		verify_iat => 1,
 		verify_exp => 1,
+		leeway     => $ce->{LTI}{v1p3}{JWTLeeway} // 0,
 		# This just checks that this claim is present.
 		verify_sub => sub ($value) { return $value =~ /\S/ }
 	);
