fix: skip validating iat is in the past

validating that iat is in the past is common sense but actually nowhere defined, OpenID JWTs forcibly contain `exp` and for those it seems requiring a few second leeway just to satisfy `iat` seems inappropriate
panva · Dec 17, 2019 · 0791001 · 0791001
1 parent 9c672b6
commit 0791001
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 22 deletions.
diff --git a/lib/client.js b/lib/client.js
@@ -691,12 +691,6 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
           jwt: idToken,
         });
       }
-      if (payload.iat > timestamp + this[CLOCK_TOLERANCE]) {
-        throw new RPError({
-          printf: ['id_token issued in the future, now %i, iat %i', timestamp + this[CLOCK_TOLERANCE], payload.iat],
-          jwt: idToken,
-        });
-      }
     }
 
     if (payload.nbf !== undefined) {

diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js
@@ -1884,22 +1884,6 @@ describe('Client', () => {
         });
     });
 
-    it('verifies iat is in the past', function () {
-      const payload = {
-        iss: this.issuer.issuer,
-        sub: 'userId',
-        aud: this.client.client_id,
-        exp: now() + 3600,
-        iat: now() + 20,
-      };
-
-      return this.IdToken(this.keystore.get(), 'RS256', payload)
-        .then((token) => this.client.validateIdToken(token))
-        .then(fail, (error) => {
-          expect(error).to.have.property('message').that.matches(/^id_token issued in the future, now \d+, iat \d+$/);
-        });
-    });
-
     it('allows iat skew', function () {
       this.client[custom.clock_tolerance] = 5;
       const payload = {