Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use iat_leeway option #273

Closed
wohlgejm opened this issue Jul 24, 2018 · 3 comments
Closed

Use iat_leeway option #273

wohlgejm opened this issue Jul 24, 2018 · 3 comments
Labels
bug documentation enhancement refactoring
Milestone
Version 2.2.0

Comments

@wohlgejm
Copy link
Contributor

It looks like iat_leeway is not being used when verifying iat. I believe #272 fixes this. There's a spec that asserts global leeway is not used during this verification, so is iat_leeway not meant to be used?
@excpt excpt modified the milestones: Version 3.0.0, Version 2.2.0 Jul 24, 2018
@excpt
Copy link
Member

excpt commented Jul 24, 2018

Hi @wohlgejm,

I just read the RFC again.

Only the exp and nbf claims should implement a leeway. The iat claim provides only information about the creation of the token. The exp and nbf tokens should be used for time based validations against the token.

The iat_leeway should be removed then from the code as it not specified in the RFC.

Source: https://tools.ietf.org/html/rfc7519#section-4.1.6

@wohlgejm
Copy link
Contributor Author

👍 thanks for the quick response @excpt. Would you take a PR to remove it?

@excpt
Copy link
Member

excpt commented Jul 24, 2018

Yes. This would be great.

@wohlgejm wohlgejm mentioned this issue Jul 24, 2018
Merged
@jakeprime jakeprime mentioned this issue Jun 3, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug documentation enhancement refactoring
Projects
None yet
Milestone
Version 2.2.0
Development

No branches or pull requests
2 participants
@excpt @wohlgejm