Interview Questions/Troubleshooting Scenarios/Intermittent 401s Due to JWT/Clock Skew
IntermediateScenario
10 min

Intermittent 401s Due to JWT/Clock Skew

SecurityAuthTime Sync
Advertisement
Interview Question

Clients intermittently receive 401 Unauthorized even with valid JWTs. Walk through diagnosing and fixing the issue.

Key Points to Cover
  • Check token clocks: iat/nbf/exp vs server time; verify NTP drift
  • Validate issuer/audience/alg claims and key rotation
  • Review leeway/skew configuration in validators
  • Inspect load balancers/proxies that strip auth headers
  • Add time sync alerts and rotate keys safely
Evaluation Rubric
Considers clock skew and time sync30% weight
Validates token claims/keys properly30% weight
Checks LB/proxy and header handling20% weight
Implements durable remediation20% weight
Hints
  • 💡Small clock drift can break strict validators.
Common Pitfalls to Avoid
  • ⚠️Assuming the JWT itself is always the problem, neglecting server-side configurations.
  • ⚠️Not explicitly checking NTP status and server time synchronization as the first step.
  • ⚠️Focusing only on expiration time and ignoring `iat` and `nbf` claims, especially in sensitive applications.
  • ⚠️Overlooking the impact of active key rotation and potential delays in key distribution/refreshment.
  • ⚠️Incorrectly configuring leeway settings without understanding the implications for security versus tolerance for clock drift.
Potential Follow-up Questions
  • How do you rotate JWKS keys?
  • What leeway is reasonable?
Advertisement
Back to Troubleshooting ScenariosView All Categories