Let me explain how time stamp skew works and how it effect to token generation.
First time stamp skew is there to fix the issues due to small time differences in system clock values of servers.
Let say you have 2 key managers and you generate token from one and authenticate with other.
When first key manager generates token(say life span is 3600sec), time stamp skew value(say 300sec) will be deducted from token life time(client will notify that 3300sec is token validity period).
Then he call to second key manager with that token exactly after 3200 secs and there is time different between key managers(second key manager has +300 sec time difference).
In such cases time stamp skew will take care of those small gaps.
So theoretically
time stamp skew should never large than token life time
It should be very small comparing to token validity period.
Token cache duration should never large than token validity period.
You can change configuration values according to requirements but you cannot put any random numbers as you need because those are inter related :-)
No comments:
Post a Comment