IntermediateScenario
10 min
Intermittent 401s Due to JWT/Clock Skew
SecurityAuthTime Sync
Advertisement
Interview Question
Clients intermittently receive 401 Unauthorized even with valid JWTs. Walk through diagnosing and fixing the issue.
Key Points to Cover
- Check token clocks: iat/nbf/exp vs server time; verify NTP drift
- Validate issuer/audience/alg claims and key rotation
- Review leeway/skew configuration in validators
- Inspect load balancers/proxies that strip auth headers
- Add time sync alerts and rotate keys safely
Evaluation Rubric
Considers clock skew and time sync30% weight
Validates token claims/keys properly30% weight
Checks LB/proxy and header handling20% weight
Implements durable remediation20% weight
Hints
- 💡Small clock drift can break strict validators.
Potential Follow-up Questions
- ❓How do you rotate JWKS keys?
- ❓What leeway is reasonable?
Advertisement