报错内容:
[Mon Aug 28 02:57:43 2017] [error] [client x.x.x.x] oidc_proto_validate_iat: "iat" validation failure (1503890016): JWT was issued more than 600 seconds in the future, referer: .....
[Mon Aug 28 02:57:43 2017] [error] [client x.x.x.x] oidc_proto_parse_idtoken: id_token payload could not be validated, aborting, referer: ......
解决办法:
You're using PingAccess in front of mod_auth_openidc, passing the cookie on each request that is made. That cookie stays the same (at least the issuance timestamp stays the same). You'll have to make sure that the OIDCIDTokenIatSlack parameter set to whatever you want the lifetime of the token to be. Note that OIDCSessionInactivityTimeout only is relevant in OIDC scenarios' where a real session is created.
就是在配置文件中添加OIDCIDTokenIatSlack,最大值为3600
参考地址:https://github.com/pingidentity/mod_auth_openidc/issues/123