Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove extrastandard assertion that iat is not from the future #191

Closed
wants to merge 2 commits into from

Conversation

gobengo
Copy link

@gobengo gobengo commented Nov 18, 2015

Discussion on #190

@mark-adams
Copy link
Contributor

So I think this is going too far. There's no reason to throw out a perfectly good feature of the library that some people may find desirable. In my case (and pretty much any case I can think of) a JWT generated in the future (which is impossible) is lying to me... why would I trust the rest of the claims?

I do understand your desire to bypass this functionality. I'd definitely support a PR that makes verify_iat default to False. I think that would alleviate your concerns while not removing a useful feature of the library. If you submit a PR that does that, I'm all for it.

@gobengo
Copy link
Author

gobengo commented Nov 25, 2015

@mark-adams @jpadilla I have amended the pull request to still leave iat future checking an option for those that want it.

However, this was not by changing the default value of the 'verify_iat' option to False, but by adding a new option.

This is because RFC7519 does specify how to verify iat (as NumericDate) with a MUST, and I don't think the default behavior should ignore that MUST. gobengo@e8a2432#diff-00ea5fc2260636f8d87435daf8c3b4c7R138

But future checking, along with a specific exception that is a subclass of InvalidIssuedAtError, is still in there with an option. gobengo@e8a2432#diff-6dc52fa39f2c4a084e5bde50b9537e4bR162

@mark-adams
Copy link
Contributor

This has been superseded by #252

@mark-adams mark-adams closed this Apr 17, 2017
@mark-adams mark-adams reopened this Apr 17, 2017
@mark-adams mark-adams closed this May 29, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants