Do not validate iat for JWT

SkygearIO / skygear-server

Skygear - an open source serverless platform for modern secure app development

https://skygear.io

Apache License 2.0

408 stars 84 forks source link

Closed kiootic closed 4 years ago

kiootic commented 4 years ago

ref #1482

we may want to see if v4 of the JWT library supports handling time drifts.

kiootic commented 4 years ago

iat should not be validated (jwt-go is going to remove that check in v4: https://github.com/dgrijalva/jwt-go/issues/314). For validation purpose, nbf should be used instead.