OpenTok JWT Authenticacion Bug

Question

When performing a REST request to the opentok rest API I was getting that my jwt token was "expired".

Wondering around a little bit, I performed a dummy request to the server just for fetching the server date, by using the same date from the server as the token expiration time I was able to list videos belonging to a session.

This is clearly wrong, the iat time and the exp time should not match the server date.

Possible solutions:

A) The user should be able to specify his server time zone and the OpenTok REST server should match those dates regarding the time zone configured for a given project.

B) Disregard the iat and consider the expiration time in seconds.

Thanks

Answer 1

This is an indication that the clock on your server is not synced correctly. The PHP SDK from version 2.5.0 onwards has JWT implemented and has been proven to work correctly. I recommend you upgrade to v2.5.0 and ensure your server clock is accurate.

Answer 2

Patch

/**
 * Useless class used to fix bugs and solve single session archive fetching
 * issue in opentok.
 * 
 * This class also implements JWT in order to comply with the new authentication
 * system that will be in use during July of 2017.
 * 
 * A problem was also detected when trying to authenticate (date issue)
 *
 * @see https://github.com/opentok/OpenTok-PHP-SDK/issues/172
 * @see https://stackoverflow.com/questions/44768499/opentok-jwt-authenticacion-bug
 * 
 * @author Federico Stange <jpfstange@gmail.com>
 */

namespace stange\opentok;

use \Firebase\JWT\JWT;
use \Guzzle\Common\Event;
use \OpenTok\Util\Client as OpenTokClient;

class OTAuthPlugin extends \OpenTok\Util\Plugin\PartnerAuth{

    private $timestamp = null;

    public static function getSubscribedEvents(){
        return array('request.before_send' => 'onBeforeSend');
    }

    public function setTimestamp($time){
        $this->timestamp =$time;
        return $this;
    }

    public function getTimestamp(){
        return $this->timestamp;
    }

    public function onBeforeSend(Event $event){

        $event['request']->addHeader(
                'X-OPENTOK-AUTH', 
                $this->createAuthHeader()
        );

    }

    private function createAuthHeader(){

        $token = array(
            'ist' => 'project',
            'iss' => $this->apiKey,
            'iat' => $this->timestamp,
            'exp' => $this->timestamp+180,
            'jti' => uniqid()
        );

        return JWT::encode($token, $this->apiSecret);

    }

}

class Client extends OpenTokClient{

    public function configure($apiKey, $apiSecret, $apiUrl){
        $this->apiKey = $apiKey;
        $this->apiSecret = $apiSecret;
        $this->setBaseUrl($apiUrl);
        $this->setUserAgent(OPENTOK_SDK_USER_AGENT, true);

        $opentokAuthPlugin = new OTAuthPlugin($apiKey, $apiSecret);
        $opentokAuthPlugin->setTimestamp($this->getServerDate());

        $this->addSubscriber($opentokAuthPlugin);

        $this->configured = true;
    }

    /** 
     * Make a request for getting the server date
     * this is a bug and it has been reported to the opentok team.
     * and to the tech support department.
     *
     *
     */

    public function getServerDate(){

        try{

            $response = $this->get(
                "/v2/project/". md5(uniqid())
            )->send();

        } catch (\Exception $e) {

            $date = $e->getResponse()->getHeader('Date')->toArray();
            $date = $date[0];

            $serverDate = \DateTime::createFromFormat(
                    "D, d M Y H:i:s e",
                    $date
            );

            return $serverDate->getTimestamp();

        }

        return $serverDate;

    }

    public function listArchivesInSession($sessionId){
        $url = "/v2/project/{$this->apiKey}/archive?sessionId=$sessionId";
        $request = $this->get($url);
        return $request->send()->json();
    }

}