You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One thing is clear: the JWT spec does not prompt for this check and many implementations do not do it. While it sounds logical to validate that iat is not in the future, the record of real-word problems occasioned by the check, as reported in the linked discussions, justified the decision to drop it. Considering a tolerance window or leeway might mitigate the issue, but it is still not safe enough.
Note that the specs on SD-JWT verification talks about checking time-related claims in these statements:
Check that the [Issuer-signed JWT] is valid using claims such as nbf, iat, and exp in the processed payload.
Check that the creation time of the Key Binding JWT, as determined by the iat claim, is within an acceptable window.
I believe we can remain compliant and more reliable with these further changes:
Completely remove iat checks beyond emptying the corresponding method definition, as we did.
Introduce a configurable leeway for nbf and exp checks.
Given a bug found in our verifier, this change was performed:
https://github.com/adorsys/sd-jwt/pull/17/files
Revise the question and check if it makes sense within the specs.
The text was updated successfully, but these errors were encountered: