Closed dhallam closed 1 year ago
@dhallam I don't understand why? iat
is just the time that this token is issued. According to the spec:
The "iat" (issued at) claim identifies the time at which the JWT was
issued. This claim can be used to determine the age of the JWT. Its
value MUST be a number containing a NumericDate value. Use of this
claim is OPTIONAL.
I think you are mistaken it with exp
and nbf
.
@lepture What I'm looking at is verifying that the iat
is not set to a value that is (too far) in the future, so the ±
in my original post is incorrect. I've edited the original "expected behaviour" section in the original post to make it clearer.
As mentioned in https://github.com/square/go-jose/issues/216 there is a test case for an issue date that is set in the future at https://cloud.google.com/iap/docs/query-parameters-and-headers-howto#testing_jwt_verification.
@dhallam Oh, you mean iat
should not be a future time?
Yes, sorry - I could have been clearer :-) PR raised for review https://github.com/lepture/authlib/pull/565
I see you've already pushed a PR - will let you run with the best approach. Ping me if you need any feedback. Many thanks.
Describe the bug
The
JWTClaims.validate_iat()
function in authlib/jose/rfc7519/claims.py doesn't utilise theleeway
parameter. The function should validate that theiat
claim is "reasonable" relative to the current time.Expected behavior
~The
validate_iat()
function should raise anInvalidTokenError
if theiat
claim value is outside thenow
±leeway
window.~The
validate_iat()
function should raise anInvalidTokenError
if theiat
claim value is afternow
+leeway
.Environment: