Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable verifying token issued-at timestamp #224

Closed
wants to merge 1 commit into from
Closed

Disable verifying token issued-at timestamp #224

wants to merge 1 commit into from

Conversation

DavidLiuGit
Copy link

PyJWT v2.8.0 verifies iat (issued-at timestamp) by default. There are several discussions on disabling this check, since it is not within spec. Cognito's token verification guide does not suggest verifying iat, unlike exp. This should not be default behavior.

Other discussions:
jpadilla/pyjwt#814
jpadilla/pyjwt#939

@DavidLiuGit
Disable verifying token issued-at timestamp
26d0688 
PyJWT v2.8.0 verifies `iat` (issued-at timestamp) by default. There are several discussions on disabling this check, since it is not within spec. [Cognito's token verification guide](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-manually-inspect) does not suggest verifying `iat`, unlike `exp`.

Other discussions:
jpadilla/pyjwt#814
jpadilla/pyjwt#939
@DavidLiuGit
Copy link
Author

DavidLiuGit commented Mar 26, 2024
edited
Loading

Partial trace from pycognito when verify_iat is enabled:

[...]
pycognito/__init__.py", line 266, in verify_token
    raise TokenVerificationException(
pycognito.exceptions.TokenVerificationException: Your 'access_token' token could not be verified (The token is not yet valid (iat)).

@DavidLiuGit
Copy link
Author

@pvizeli bump on this PR. WDYT?

@ludeeus ludeeus linked an issue May 13, 2024 that may be closed by this pull request
Exception: pycognito.exceptions.TokenVerificationException: Your 'access_token' token could not be verified (The token is not yet valid (iat)). #225
Closed
ludeeus
ludeeus requested changes May 13, 2024
View reviewed changes
pycognito/__init__.py
@@ -260,6 +260,7 @@ def verify_token(self, token, id_name, token_use):
issuer=self.user_pool_url,
options={
"require": required_claims,
"verify_iat": False,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one makes sense as the range was not validated before.
However, disabling this will also disable the check to see if it is an integer. That part should still be verified.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made an alternative with that here #252

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. Thank you.

@ludeeus ludeeus mentioned this pull request May 14, 2024
Merged
@pvizeli pvizeli closed this May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ludeeus ludeeus ludeeus requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@DavidLiuGit @ludeeus @pvizeli