SimpleJWS verification fails if no iat claim

[mamciek]

According to JWT standard the 'iat' claim i optional. When decoding token (without 'iat') using SimpleJWS then verification of the signature fails. There is a function generateSigninInput in JWT class that return the input that the signature is verified against.

    public function generateSigninInput()
    {
        $base64payload = $this->encoder->encode(json_encode($this->getPayload(), JSON_UNESCAPED_SLASHES));
        $base64header = $this->encoder->encode(json_encode($this->getHeader(), JSON_UNESCAPED_SLASHES));
        return sprintf('%s.%s', $base64header, $base64payload);
    }

But when decoding token (without iat claim) with SimpleJWS, then 'iat' is automatically added to the decoded payload in setPayload method of SimpleJWS so the signinginput is different than was originally in token.

    public function setPayload(array $payload)
    {
        if (!isset($payload['iat'])) {
            $payload['iat'] = time();
        }
        return parent::setPayload($payload);
    }

[jbidzik]

same problem here.
if we used a token generated by another system that does not had iat, signature verification fails.
Maybe adding iat claim must be only done on token creation. Or maybe not use iat at all.