JWT::InvalidIatError at /user/auth/google_oauth2/callback Invalid iat

Question

I get this error when I try to log in using Google oauth2 locally. Googling the error doesn't give me any indication. On Heroku I don't have any issues

This is my omniauth controller function for google:

  def google_oauth2
      # You need to implement the method below in your model (e.g. app/models/user.rb)
      @user = User.from_omniauth(request.env["omniauth.auth"])

      if @user.persisted? # Check if the user exits
        sign_in_and_redirect @user, event: :authentication
        # flash[:notice] = I18n.t "devise.omniauth_callbacks.success", :kind => "Google"
      else
        session["devise.google_data"] = request.env["omniauth.auth"].except('extra')
        redirect_to new_user_registration_url
      end
  end

This is the server log output:

Started GET "/user/auth/google_oauth2" for 10.0.2.2 at 2015-10-04 17:11:23 -0400
Cannot render console from 10.0.2.2! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255
I, [2015-10-04T17:11:23.278558 #8203]  INFO -- omniauth: (google_oauth2) Request phase initiated.


Started GET "/user/auth/google_oauth2/callback?state=7080deaf5a52603044da3856898c08a89722f57e4dc9e75d&code=4/vWA-kcX2_P8JF6i10VIMRtYO81crG5vyPMRyknGs3q4" for 10.0.2.2 at 2015-10-04 17:11:26 -0400
Cannot render console from 10.0.2.2! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255
I, [2015-10-04T17:11:26.065521 #8203]  INFO -- omniauth: (google_oauth2) Callback phase initiated.

JWT::InvalidIatError - Invalid iat:
  jwt (1.5.1) lib/jwt.rb:170:in `decode'
  omniauth-google-oauth2 (0.2.7) lib/omniauth/strategies/google_oauth2.rb:63:in `block in <class:GoogleOauth2>'
  omniauth (1.2.2) lib/omniauth/strategy.rb:105:in `block in compile_stack'
  omniauth (1.2.2) lib/omniauth/strategy.rb:104:in `compile_stack'
  (eval):7:in `extra_stack'
  omniauth (1.2.2) lib/omniauth/strategy.rb:329:in `extra'
  omniauth (1.2.2) lib/omniauth/strategy.rb:336:in `auth_hash'
  omniauth (1.2.2) lib/omniauth/strategy.rb:361:in `callback_phase'
  omniauth-oauth2 (1.3.1) lib/omniauth/strategies/oauth2.rb:79:in `callback_phase'
  omniauth (1.2.2) lib/omniauth/strategy.rb:227:in `callback_call'
  omniauth (1.2.2) lib/omniauth/strategy.rb:184:in `call!'
  omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.2.2) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
  bullet (4.14.7) lib/bullet/rack.rb:12:in `call'
  meta_request (0.3.4) lib/meta_request/middlewares/app_request_handler.rb:13:in `call'
  meta_request (0.3.4) lib/meta_request/middlewares/meta_request_handler.rb:13:in `call'
  rails-dev-boost (0.3.0) lib/rails_development_boost/async.rb:14:in `call'
  jquery-fileupload-rails (0.4.6) lib/jquery/fileupload/rails/middleware.rb:14:in `_call'
  jquery-fileupload-rails (0.4.6) lib/jquery/fileupload/rails/middleware.rb:10:in `call'
  warden (1.2.3) lib/warden/manager.rb:35:in `block in call'
  warden (1.2.3) lib/warden/manager.rb:34:in `call'
  rack (1.6.4) lib/rack/etag.rb:24:in `call'
  rack (1.6.4) lib/rack/conditionalget.rb:25:in `call'
  rack (1.6.4) lib/rack/head.rb:13:in `call'
  remotipart (1.2.1) lib/remotipart/middleware.rb:27:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/flash.rb:260:in `call'
  rack (1.6.4) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.6.4) lib/rack/session/abstract/id.rb:220:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/cookies.rb:560:in `call'
  activerecord (4.2.4) lib/active_record/query_cache.rb:36:in `call'
  activerecord (4.2.4) lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in `call'
  activerecord (4.2.4) lib/active_record/migration.rb:377:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  activesupport (4.2.4) lib/active_support/callbacks.rb:88:in `__run_callbacks__'
  activesupport (4.2.4) lib/active_support/callbacks.rb:778:in `_run_call_callbacks'
  activesupport (4.2.4) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (4.2.4) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/reloader.rb:73:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:84:in `protected_app_call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:79:in `better_errors_call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:57:in `call'
  rack-contrib (1.4.0) lib/rack/contrib/response_headers.rb:17:in `call'
  meta_request (0.3.4) lib/meta_request/middlewares/headers.rb:16:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  web-console (2.2.1) lib/web_console/middleware.rb:31:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.2.4) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.2.4) lib/rails/rack/logger.rb:20:in `block in call'
  activesupport (4.2.4) lib/active_support/tagged_logging.rb:68:in `block in tagged'
  activesupport (4.2.4) lib/active_support/tagged_logging.rb:26:in `tagged'
  activesupport (4.2.4) lib/active_support/tagged_logging.rb:68:in `tagged'
  railties (4.2.4) lib/rails/rack/logger.rb:20:in `call'
  quiet_assets (1.1.0) lib/quiet_assets.rb:27:in `call_with_quiet_assets'
  actionpack (4.2.4) lib/action_dispatch/middleware/request_id.rb:21:in `call'
  rack (1.6.4) lib/rack/methodoverride.rb:22:in `call'
  rack (1.6.4) lib/rack/runtime.rb:18:in `call'
  activesupport (4.2.4) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
  rack (1.6.4) lib/rack/lock.rb:17:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/static.rb:116:in `call'
  rack (1.6.4) lib/rack/sendfile.rb:113:in `call'
  rack-mini-profiler (0.9.7) lib/mini_profiler/profiler.rb:276:in `call'
  railties (4.2.4) lib/rails/engine.rb:518:in `call'
  railties (4.2.4) lib/rails/application.rb:165:in `call'
  rack (1.6.4) lib/rack/content_length.rb:15:in `call'
  puma (2.11.1) lib/puma/server.rb:507:in `handle_request'
  puma (2.11.1) lib/puma/server.rb:375:in `process_client'
  puma (2.11.1) lib/puma/server.rb:262:in `block in run'
  puma (2.11.1) lib/puma/thread_pool.rb:104:in `block in spawn_thread'

Answer 1

Recently google_oauth2 released a way where we can ByPass JWT decoding.

use option :skip_jwt => true in file where you have configured OmniAuth.

use OmniAuth::Builder do
  provider :google_oauth2, ENV["GOOGLE_CLIENT_ID"],ENV["GOOGLE_CLIENT_SECRET"], skip_jwt: true
end

For More details check Fix Steps By Gem Author

Answer 2

skip_jwt: true is not always the best way to do that. The problem seems to lie in the hardware clock of my server in this case. It was off by 72 seconds in my case and if i recall by default JWT allows 60 seconds. You can check that and fix it by doing the following.

sudo ntpdate ntp.ubuntu.com


setup cronjob to check every hour and fix it


sudo nano /etc/cron.hourly/ntpdate


add

#! /bin/sh

ntpdate ntp.ubuntu.com

save file and change permissions


sudo chmod +x /etc/cron.hourly/ntpdate