Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please stop validating that iat <= now by default #939

Open
vergenzt opened this issue Jan 19, 2024 · 3 comments
Open

Please stop validating that iat <= now by default #939

vergenzt opened this issue Jan 19, 2024 · 3 comments
Labels
keep

Comments

@vergenzt
Copy link

vergenzt commented Jan 19, 2024
edited

Opening a new issue since my previous rant about this was on a closed issue.

Request

Could we set the default value of verify_iat to False and publish this breaking change as version 3.0?

Clients who understand the risks and want to engage in this extra-spec behavior should opt in by setting verify_iat to True, and the need to do this should be announced in the changelog for this new major version. (Or maybe there could be a global variable in pyjwt to control the verify_iat default?)

Timeline of this behavior

Other related issues

Status of erratum report on official spec

I've filed an erratum report on the upstream JWT RFC here: https://www.rfc-editor.org/errata/eid7720. Discussion is ongoing, but the only controversy seems to be whether and/or how to publish the advice not do this, not whether or not this validation is appropriate. (Most seem to agree that this validation is not appropriate to perform.)

The discussion mailing list unfortunately appears to be private, but I've asked for either a public archive link (if one exists) and/or consent for me to share folks' responses if indeed the list is private; I'll update here if I receive either.

Justification

To copy/paste my previous comment on the closed issue:

This was litigated previously at #190. The JWT spec does NOT say to reject tokens with iat ("issued at") in the future, so this behavior goes beyond the spec and is inconsistent with many other JWT libraries.

4.1.6. "iat" (Issued At) Claim

The "iat" (issued at) claim identifies the time at which the JWT was
issued. This claim can be used to determine the age of the JWT. Its
value MUST be a number containing a NumericDate value. Use of this
claim is OPTIONAL.

If token issuers want clients to specify that a token should not be accepted before a certain timestamp (which puts additional constraints upon clients by implying that clients' clocks should keep relatively in sync with a central clock source and/or need to check it with leeway) then the issuer is supposed to set nbf ("not before"):

4.1.5. "nbf" (Not Before) Claim

The "nbf" (not before) claim identifies the time before which the JWT
MUST NOT be accepted for processing. The processing of the "nbf"
claim requires that the current date/time MUST be after or equal to
the not-before date/time listed in the "nbf" claim. Implementers MAY
provide for some small leeway, usually no more than a few minutes, to
account for clock skew. Its value MUST be a number containing a
NumericDate value. Use of this claim is OPTIONAL.

I am currently getting bit by this issue a lot in a large enterprise microservices environment (where token issuer, token user, and token-accepting server which validates offline using RSA are three different machines) where clock drift is coming into play. Myself and 10+ other people have now wasted multiple days of person-time trying to figure out why tokens were being rejected, talking about how best to address it, and managing the workloads & deliverables of the people investigating & talking about this.

Thoughts? Can we settle this once and for all?
@vergenzt
Copy link
Author

cc @CollinEMac, @4dhyperplane, @ddhecker, @sb-keane, @mikkelsvartveit, @fdemmer, @gobengo, @nicktimko, @pengale -- tagging folks who 👍'd on my previous rant and/or have litigated this in the past 😅

@mikkelsvartveit
Copy link

I strongly agree with this, the current behavior is a terrible default for a JWT library

@jpadilla
Copy link
Owner

Thanks for the thoughtful and thorough issue. I'm down with rectifying this on a v3. We'll need to add a deprecation warning on the next v2 release.

@jpadilla jpadilla added the keep label Jan 20, 2024
DavidLiuGit added a commit to DavidLiuGit/pycognito that referenced this issue Mar 26, 2024
@DavidLiuGit
Disable verifying token issued-at timestamp
26d0688 
PyJWT v2.8.0 verifies `iat` (issued-at timestamp) by default. There are several discussions on disabling this check, since it is not within spec. [Cognito's token verification guide](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-manually-inspect) does not suggest verifying `iat`, unlike `exp`.

Other discussions:
jpadilla/pyjwt#814
jpadilla/pyjwt#939
@DavidLiuGit DavidLiuGit mentioned this issue Mar 26, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
keep
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jpadilla @vergenzt @mikkelsvartveit