Stop rejecting tokens with future 'iat' values

RFC 7519 does not specify or even suggest this type of validation on the 'iat' claim and it has caused issues for several consumers of PyJWT. This change removes the validation on future 'iat' values and leaves such things up to the application developer to implement. Fixes #190.
jpadilla · Apr 17, 2017 · 0ace701 · 0ace701
1 parent ceff941
commit 0ace701
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 15 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - Add support for ECDSA public keys in RFC 4253 (OpenSSH) format [#244][244]
 - Renamed commandline script `jwt` to `jwt-cli` to avoid issues with the script clobbering the `jwt` module in some circumstances.
 - Better error messages when using an algorithm that requires the cryptography package, but it isn't available [#230][230]
+- Tokens with future 'iat' values are no longer rejected [#190][190]
 
 ### Fixed
 
@@ -129,5 +130,6 @@ rarely used. Users affected by this should upgrade to 3.3+.
 [174]: https://github.com/jpadilla/pyjwt/pull/174
 [182]: https://github.com/jpadilla/pyjwt/pull/182
 [183]: https://github.com/jpadilla/pyjwt/pull/183
+[190]: https://github.com/jpadilla/pyjwt/pull/190
 [213]: https://github.com/jpadilla/pyjwt/pull/214
 [244]: https://github.com/jpadilla/pyjwt/pull/244
diff --git a/docs/usage.rst b/docs/usage.rst
@@ -180,9 +180,6 @@ Issued At Claim (iat)
     This claim can be used to determine the age of the JWT. Its value MUST be a
     number containing a NumericDate value. Use of this claim is OPTIONAL.
 
-If the `iat` claim is in the future, an `jwt.InvalidIssuedAtError` exception
-will be raised.
-
 .. code-block:: python
 
     jwt.encode({'iat': 1371720939}, 'secret')

diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
@@ -121,14 +121,10 @@ def _validate_required_claims(self, payload, options):
 
     def _validate_iat(self, payload, now, leeway):
         try:
-            iat = int(payload['iat'])
+            int(payload['iat'])
         except ValueError:
             raise DecodeError('Issued At claim (iat) must be an integer.')
 
-        if iat > (now + leeway):
-            raise InvalidIssuedAtError('Issued At claim (iat) cannot be in'
-                                       ' the future.')
-
     def _validate_nbf(self, payload, now, leeway):
         try:
             nbf = int(payload['nbf'])

diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
@@ -154,13 +154,6 @@ def test_decode_raises_exception_if_nbf_is_not_int(self, jwt):
         with pytest.raises(DecodeError):
             jwt.decode(example_jwt, 'secret')
 
-    def test_decode_raises_exception_if_iat_in_the_future(self, jwt):
-        now = datetime.utcnow()
-        token = jwt.encode({'iat': now + timedelta(days=1)}, key='secret')
-
-        with pytest.raises(InvalidIssuedAtError):
-            jwt.decode(token, 'secret')
-
     def test_encode_datetime(self, jwt):
         secret = 'secret'
         current_datetime = datetime.utcnow()