Verifying iat without leeway may break with poorly synced clocks #319
Description
I know this was raised on an earlier issue,
#247 (comment)
But I've only just tried to upgrade to 2.2.1,
and it breaks our tests because we did historically see iat verification errors due to clock sync issues between systems.
And using the iat_leeway was a solution for us.
I can see that the RFC was the motivation for this change
#247 (comment)
So the RFC says we MUST verify the nbf and exp claims
and each of these MAY have a leeway.
https://tools.ietf.org/html/rfc7519#section-4.1.4
However it says nothing about verifying the iat claim.
Just that it:
MUST be a number containing a NumericDate value
I believe the answer is to remove the verify_iat method,
and treat iat as just a point of information, not a field to verify.
As the RFC says:
The "iat" (issued at) claim identifies the time at which the JWT was issued.