Disable verifying token issued-at timestamp

NabuCasa / pycognito

Python library for using AWS Cognito. With support for SRP.

Apache License 2.0

126 stars 38 forks source link

Disable verifying token issued-at timestamp #224

Closed DavidLiuGit closed 1 month ago

DavidLiuGit commented 3 months ago

PyJWT v2.8.0 verifies iat (issued-at timestamp) by default. There are several discussions on disabling this check, since it is not within spec. Cognito's token verification guide does not suggest verifying iat, unlike exp. This should not be default behavior.

Other discussions: https://github.com/jpadilla/pyjwt/issues/814 https://github.com/jpadilla/pyjwt/issues/939

DavidLiuGit commented 3 months ago

Partial trace from pycognito when verify_iat is enabled:

[...]
pycognito/__init__.py", line 266, in verify_token
    raise TokenVerificationException(
pycognito.exceptions.TokenVerificationException: Your 'access_token' token could not be verified (The token is not yet valid (iat)).

DavidLiuGit commented 2 months ago

@pvizeli bump on this PR. WDYT?