GrantType urn:ietf:params:oauth:grant-type:jwt-bearer validation for claim "nbf" not RFC-7519 compliant

[svenvds]

Hi, According to RFC 7519 concerning the nbf claim it is defined as follows:

4.1.5. "nbf" (Not Before) Claim

The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim. … Use of this claim is OPTIONAL.

I checked master branch and the nbf is tested as strict before time().

https://github.com/bshaffer/oauth2-server-php/blob/5a0c8000d4763b276919e2106f54eddda6bc50fa/src/OAuth2/GrantType/JwtBearer.php#L145

[bshaffer]

Sorry, but I believe you are mistaken as to what the logic means. If the $notBefore time set by the JWT (e.g "the year 3000") is GREATER THAN the current time (e.g. time()), the JwtBearer class throws an error.

So, said another way, if time() is BEFORE (or less than) the "not-before time", then it throws an error. This is correctly implemented.