michaeltoqua
commented
2 years ago I am running into the same problem, also with AWS Cognito. Took me quite a while before I found out that the iat was causing our tests to fail.
I am not sure whether verification of the iat timestamp is even the right way to go. The JWT spec says nothing about how iat should be verified. In case issue dates should be verified, nbf seems more appropriate. The spec also allows for a small leeway to account for clock skew.
A relevant discussion around this topic can be found at https://github.com/auth0/java-jwt/issues/254.
We're running an issue where the
iatclaim (Issued At) in AWS Cognito is ~1 second into the future (on multiple machines and server configurations, synced with NTP). Would it be helpful to maybe add a configurable time delta to verification to account for these slightly out of sync use cases? I can create a PR for this, but I first wanted to check if this would be anything that could be incorporated.