Merge pull request #394 from nextstrain/skip-iat-verification

Skip verification of JWT's iat claim
nextstrain · Aug 29, 2024 · fd56e19 · fd56e19
2 parents 36f8989 + 7c2723f
commit fd56e19
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -13,6 +13,12 @@ development source code and as such may not be routinely kept up to date.
 
 # __NEXT__
 
+## Bug fixes
+
+* JWT authentication (e.g. `nextstrain login`) no longer verifies the issued at
+  (iat) claim. This should resolve issues for users who's system time was
+  slightly lagged and who were thus unable to login.
+  ([#394](https://github.com/nextstrain/cli/pull/394))
 
 # 8.5.2 (27 August 2024)
 

diff --git a/nextstrain/cli/authn/session.py b/nextstrain/cli/authn/session.py
@@ -638,7 +638,8 @@ def verify_tokens(self, *, id_token, access_token, refresh_token):
 
     def _verify_id_token(self, token):
         """
-        Verifies all aspects of the given ID *token* (a signed JWT).
+        Verifies all aspects of the given ID *token* (a signed JWT) except for the iat
+        (issued at claim, see <https://github.com/nextstrain/cli/issues/307>)
 
         Assertions about expected algorithms, audience, issuer, and token use
         follow guidelines from
@@ -656,7 +657,9 @@ def _verify_id_token(self, token):
                 algorithms = ["RS256"],
                 audience   = self.client_configuration["client_id"],
                 issuer     = self.openid_configuration["issuer"],
-                options    = { "require": ["exp"] })
+                options    = { "require": ["exp"],
+                               "verify_iat": False,
+                             })
 
         except jwt.exceptions.ExpiredSignatureError:
             raise ExpiredTokenError(use)