You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It looks like iat_leeway is not being used when verifying iat. I believe #272 fixes this. There's a spec that asserts global leeway is not used during this verification, so is iat_leeway not meant to be used?
Only the exp and nbf claims should implement a leeway. The iat claim provides only information about the creation of the token. The exp and nbf tokens should be used for time based validations against the token.
The iat_leeway should be removed then from the code as it not specified in the RFC.
Activity
excpt commentedon Jul 24, 2018
Hi @wohlgejm,
I just read the RFC again.
Only the
expandnbfclaims should implement a leeway. Theiatclaim provides only information about the creation of the token. Theexpandnbftokens should be used for time based validations against the token.The
iat_leewayshould be removed then from the code as it not specified in the RFC.Source: https://tools.ietf.org/html/rfc7519#section-4.1.6
wohlgejm commentedon Jul 24, 2018
👍 thanks for the quick response @excpt. Would you take a PR to remove it?
excpt commentedon Jul 24, 2018
Yes. This would be great.