akikoskinen
commented
3 years ago That's drf-oidc-auth version <1.0. To me it seems that since 1.0.0 drf-oidc-auth doesn't do that kind of checking any more, it doesn't mind how old iat is (which is good, using the leeway setting for oldness checking was counter intuitive to begin within, IMO). Instead of giving guidelines how to use old versions of dependencies, I would encourage people to keep their dependencies updated.
On another note, ApiTokenAuthentication could be reimplemented without drf-oidc-auth, using the RequestJWTAuthentication. That would give more control about how the JWT really is validated.
drf-oidc-auth, by default, rejects tokens where iat is older than 600s: https://github.com/ByteInternet/drf-oidc-auth/blob/68a962446788ee55909f04daf2896b14820cfbec/oidc_auth/authentication.py#L163-L165
Perhaps django-helusers could provide a more useful default or would this be better mentioned in the docs?
Now each project has discovered this on their own, or copied the magic setting from some other project.