SDK: token API intermittently returns 400 Bad Request

I’m using the DuoUniversal C# SDK. Everything works fine most of the time. But intermittently, the call to Client.ExchangeAuthorizationCodeFor2faResult() throws an error because the call to the /oauth/v1/token API has returned a 400 Bad Request response code. My computer clock is accurate. What might cause it to intermittently fail like this?

Some more info. I ran the client library in source (from Github) and found the HTTP 400 error response from the API has the following body:

{“error”: “invalid_client”, “error_description”: “Invalid Client assertion: Token used before nbf.”}

But as I said, my computer clock on my web server is accurate.

It looks like the client library generates a JWT to pass to the API with a nbf field set to exactly the current time on the web server. Which would mean that if the web server’s time is even a second ahead of the Duo API server’s time, the Duo API would reject the call… that can’t be right, can it?

Update: was a bug in the C# client library. Apparently there will be a fixed version 1.1.1 available shortly!

1 Like