Open vergenzt opened 5 months ago
cc @CollinEMac, @4dhyperplane, @ddhecker, @sb-keane, @mikkelsvartveit, @fdemmer, @gobengo, @nicktimko, @pengale -- tagging folks who 👍'd on my previous rant and/or have litigated this in the past 😅
I strongly agree with this, the current behavior is a terrible default for a JWT library
Thanks for the thoughtful and thorough issue. I'm down with rectifying this on a v3. We'll need to add a deprecation warning on the next v2 release.
Opening a new issue since my previous rant about this was on a closed issue.
Request
Could we set the default value of
verify_iat
toFalse
and publish this breaking change as version 3.0?Clients who understand the risks and want to engage in this extra-spec behavior should opt in by setting
verify_iat
toTrue
, and the need to do this should be announced in the changelog for this new major version. (Or maybe there could be a global variable in pyjwt to control theverify_iat
default?)Timeline of this behavior
iat <= now
validation was added in (I believe) the initial version of this libraryiat <= now
validation was removed in 1.5.0 via #252iat <= now
validation was re-added in 2.6.0 via #794 (current state)Other related issues
190 was a previous report/discussion of this issue before it was removed the first time
814 was deeply related to this issue, but in that particular user's case ended up being caused by a rounding error instead
821 was marked as "resolving" #814, but only removed the rounding error (it did not remove
iat <= now
validation)Status of erratum report on official spec
I've filed an erratum report on the upstream JWT RFC here: https://www.rfc-editor.org/errata/eid7720. Discussion is ongoing, but the only controversy seems to be whether and/or how to publish the advice not do this, not whether or not this validation is appropriate. (Most seem to agree that this validation is not appropriate to perform.)
The discussion mailing list unfortunately appears to be private, but I've asked for either a public archive link (if one exists) and/or consent for me to share folks' responses if indeed the list is private; I'll update here if I receive either.
Justification
To copy/paste my previous comment on the closed issue:
Thoughts? Can we settle this once and for all?