Using the official Okta Python SDK to do some automation work with a key-pair authenticated OAuth Service client, and today I started getting ‘invalid_client - The client_assertion token has an expiration too far into the future’ errors when submitting requests to the API.
Investigating, I found the exp value in the generated client_assertion JWT was only +1 second too far beyond the 1 hour validity window that the Auth Server seems to demand. This development is being done on an enterprise workstation with the time set centrally for the domain, so adjusting the local time isn’t an option.
I’ve been able to bodge this by editing the SDK files and just deducting 60 seconds from the epoch time being used when generating the exp value for the client_assertion JWTs, but I was wondering if there was a better way of handling this? Is there some clock skew functionality for the Org Auth Server that I can configure somehow? Am I missing some client config in the SDK that would allow me to manage this? Any advice appreciated.