RFC7519 JWTClaims.validate_iat() doesn't utilise the leeway parameter

[dhallam]

Describe the bug

The JWTClaims.validate_iat() function in authlib/jose/rfc7519/claims.py doesn't utilise the leeway parameter. The function should validate that the iat claim is "reasonable" relative to the current time.

Expected behavior

~The validate_iat() function should raise an InvalidTokenError if the iat claim value is outside the now ± leeway window.~

The validate_iat() function should raise an InvalidTokenError if the iat claim value is after now + leeway.

Environment:

• OS: ubuntu 22.04
• Python Version: 3.10.12
• Authlib Version: 1.2.1

[lepture]

@dhallam I don't understand why? iat is just the time that this token is issued. According to the spec:

        The "iat" (issued at) claim identifies the time at which the JWT was
        issued.  This claim can be used to determine the age of the JWT.  Its
        value MUST be a number containing a NumericDate value.  Use of this
        claim is OPTIONAL.

I think you are mistaken it with exp and nbf.

[dhallam]

@lepture What I'm looking at is verifying that the iat is not set to a value that is (too far) in the future, so the ± in my original post is incorrect. I've edited the original "expected behaviour" section in the original post to make it clearer.

As mentioned in https://github.com/square/go-jose/issues/216 there is a test case for an issue date that is set in the future at https://cloud.google.com/iap/docs/query-parameters-and-headers-howto#testing_jwt_verification.

[lepture]

@dhallam Oh, you mean iat should not be a future time?

[dhallam]

Yes, sorry - I could have been clearer :-) PR raised for review https://github.com/lepture/authlib/pull/565

[dhallam]

I see you've already pushed a PR - will let you run with the best approach. Ping me if you need any feedback. Many thanks.