You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello, first of all, great library and thanks for putting it together.
My question pertains to the RFC-7519 spec for the 'iat' claim and how it is handled in this lib.
4.1.6. "iat" (Issued At) Claim
The "iat" (issued at) claim identifies the time at which the JWT was
issued. This claim can be used to determine the age of the JWT. Its
value MUST be a number containing a NumericDate value. Use of this
claim is OPTIONAL.
Since the spec says this claim is optional and doesn't specify the validity of an 'iat' claim, other than being an NumericDate value, shouldn't the library not enforce validity by default?
I see you can specify a 'leeway' time to account for clock variations and the 'iat' will be checked with this value but doesn't this break the specification? Wouldn't it be better to allow the consumer of the library to specify if the 'iat' claim should be checked outside of the NumericDate value requirement?
The text was updated successfully, but these errors were encountered:
Hello, first of all, great library and thanks for putting it together.
My question pertains to the RFC-7519 spec for the 'iat' claim and how it is handled in this lib.
Since the spec says this claim is optional and doesn't specify the validity of an 'iat' claim, other than being an NumericDate value, shouldn't the library not enforce validity by default?
I see you can specify a 'leeway' time to account for clock variations and the 'iat' will be checked with this value but doesn't this break the specification? Wouldn't it be better to allow the consumer of the library to specify if the 'iat' claim should be checked outside of the NumericDate value requirement?
The text was updated successfully, but these errors were encountered: