Skip verification of JWT's iat claim

Client clock skew can lead to invalid JWTs
resulting the the following error during login:

```
nextstrain.cli.aws.cognito.TokenError:
ImmatureSignatureError: The token is not yet valid (iat)
````

See <#307>
and the (internal) Slack thread
<https://bedfordlab.slack.com/archives/C01LCTT7JNN/p1719286802460679>
for discussion about whether iat timestamps ahead of the current
clock are actually invalid JWTs.

CHANGES.md

@@ -13,6 +13,12 @@ development source code and as such may not be routinely kept up to date.
 
 # __NEXT__
 
+## Bug fixes
+
+* JWT authentication (e.g. `nextstrain login`) no longer verifies the issued at
+  (iat) claim. This should resolve issues for users who's system time was
+  slightly lagged and who were thus unable to login.
+  ([#394](https://github.com/nextstrain/cli/pull/394))
 
 # 8.5.2 (27 August 2024)
 

nextstrain/cli/authn/session.py

@@ -638,7 +638,8 @@ def verify_tokens(self, *, id_token, access_token, refresh_token):
 
     def _verify_id_token(self, token):
         """
-        Verifies all aspects of the given ID *token* (a signed JWT).
+        Verifies all aspects of the given ID *token* (a signed JWT) except for the iat
+        (issued at claim, see <https://github.com/nextstrain/cli/issues/307>)
 
         Assertions about expected algorithms, audience, issuer, and token use
         follow guidelines from
@@ -656,7 +657,9 @@ def _verify_id_token(self, token):
                 algorithms = ["RS256"],
                 audience   = self.client_configuration["client_id"],
                 issuer     = self.openid_configuration["issuer"],
-                options    = { "require": ["exp"] })
+                options    = { "require": ["exp"],
+                               "verify_iat": False,
+                             })
 
         except jwt.exceptions.ExpiredSignatureError:
             raise ExpiredTokenError(use)