Added claim for not before time (nbf) to coincide with issued at time.

[Eric2017a]

This ensures JWT will not be considered valid for times before it was issued. Failing to limit the validity in this manner is a potential security hole.

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

:memo: Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If your company signed a CLA, they designated a Point of Contact who decides which employees are authorized to participate. You may need to contact the Point of Contact for your company and ask to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the project maintainer to go/cla#troubleshoot.
• In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again.

[Eric2017a]

I signed the CLA

[googlebot]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for the commit author(s). If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again.

[Eric2017a]

Just to add a little background to this change. Per the JWT specifications, the iat claim is used to determine the age of the JWT, but does not affect validity processing in any manner per section 4.1.6 of RFC 7519. Implementations that treat the iat claim as a not before time are incorrect. JWTs are valid from the beginning of time till then end of time, regardless of the issue time, unless the JWT is constrained by exp and/or nbf claims. JWTs without exp claims are valid till then end of time, while those missing nbf claims are valid from the beginning of time.

The fix here limits duration of the JWT claim to the time the claim was created till the exp claim date, if any. A better fix would be to add an option to set the not before time explicitly via a property (with a null/empty property value defaulting to the iat time and a missing property omitting the nbf claim entirely similar to the way exp is handled).

[googlebot]

CLAs look good, thanks!

[Eric2017a]

Fixed up author info, commit name should now be correct.