-
-
Notifications
You must be signed in to change notification settings - Fork 694
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please stop validating that iat <= now
by default
#939
Comments
cc @CollinEMac, @4dhyperplane, @ddhecker, @sb-keane, @mikkelsvartveit, @fdemmer, @gobengo, @nicktimko, @pengale -- tagging folks who 👍'd on my previous rant and/or have litigated this in the past 😅 |
I strongly agree with this, the current behavior is a terrible default for a JWT library |
Thanks for the thoughtful and thorough issue. I'm down with rectifying this on a v3. We'll need to add a deprecation warning on the next v2 release. |
PyJWT v2.8.0 verifies `iat` (issued-at timestamp) by default. There are several discussions on disabling this check, since it is not within spec. [Cognito's token verification guide](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-manually-inspect) does not suggest verifying `iat`, unlike `exp`. Other discussions: jpadilla/pyjwt#814 jpadilla/pyjwt#939
A difference between or serveur clocks causes some ImmatureSignatureError. It' not even mandatory to check it, see jpadilla/pyjwt#939
A difference between or serveur clocks causes some ImmatureSignatureError. It' not even mandatory to check it, see jpadilla/pyjwt#939
A difference between or serveur clocks causes some ImmatureSignatureError. It' not even mandatory to check it, see jpadilla/pyjwt#939
Opening a new issue since my previous rant about this was on a closed issue.
Request
Could we set the default value of
verify_iat
toFalse
and publish this breaking change as version 3.0?Clients who understand the risks and want to engage in this extra-spec behavior should opt in by setting
verify_iat
toTrue
, and the need to do this should be announced in the changelog for this new major version. (Or maybe there could be a global variable in pyjwt to control theverify_iat
default?)Timeline of this behavior
iat <= now
validation was added in (I believe) the initial version of this libraryiat <= now
validation was removed in 1.5.0 via Remove rejection of future 'iat' claims #252iat <= now
validation was re-added in 2.6.0 via Handling 'ImmatureSignatureError' for issued_at time #794 (current state)Other related issues
iat <= now
validation)Status of erratum report on official spec
I've filed an erratum report on the upstream JWT RFC here: https://www.rfc-editor.org/errata/eid7720. Discussion is ongoing, but the only controversy seems to be whether and/or how to publish the advice not do this, not whether or not this validation is appropriate. (Most seem to agree that this validation is not appropriate to perform.)
The discussion mailing list unfortunately appears to be private, but I've asked for either a public archive link (if one exists) and/or consent for me to share folks' responses if indeed the list is private; I'll update here if I receive either.
Justification
To copy/paste my previous comment on the closed issue:
Thoughts? Can we settle this once and for all?
The text was updated successfully, but these errors were encountered: