Open eelkeh opened 2 years ago
I am running into the same problem, also with AWS Cognito. Took me quite a while before I found out that the iat
was causing our tests to fail.
I am not sure whether verification of the iat
timestamp is even the right way to go. The JWT spec says nothing about how iat
should be verified. In case issue dates should be verified, nbf
seems more appropriate. The spec also allows for a small leeway to account for clock skew.
A relevant discussion around this topic can be found at https://github.com/auth0/java-jwt/issues/254.
We're running an issue where the
iat
claim (Issued At) in AWS Cognito is ~1 second into the future (on multiple machines and server configurations, synced with NTP). Would it be helpful to maybe add a configurable time delta to verification to account for these slightly out of sync use cases? I can create a PR for this, but I first wanted to check if this would be anything that could be incorporated.