Skip verification of JWT's iat claim

Client clock skew can lead to invalid JWTs resulting the the following error during login: ``` nextstrain.cli.aws.cognito.TokenError: ImmatureSignatureError: The token is not yet valid (iat) ```` See <#307> and the (internal) Slack thread <https://bedfordlab.slack.com/archives/C01LCTT7JNN/p1719286802460679> for discussion about whether iat timestamps ahead of the current clock are actually invalid JWTs.
nextstrain · Aug 29, 2024 · df7d035 · df7d035
1 parent 36f8989
commit df7d035
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/nextstrain/cli/authn/session.py b/nextstrain/cli/authn/session.py
@@ -638,7 +638,8 @@ def verify_tokens(self, *, id_token, access_token, refresh_token):
 
     def _verify_id_token(self, token):
         """
-        Verifies all aspects of the given ID *token* (a signed JWT).
+        Verifies all aspects of the given ID *token* (a signed JWT) except for the iat
+        (issued at claim, see <https://github.com/nextstrain/cli/issues/307>)
 
         Assertions about expected algorithms, audience, issuer, and token use
         follow guidelines from
@@ -656,7 +657,9 @@ def _verify_id_token(self, token):
                 algorithms = ["RS256"],
                 audience   = self.client_configuration["client_id"],
                 issuer     = self.openid_configuration["issuer"],
-                options    = { "require": ["exp"] })
+                options    = { "require": ["exp"],
+                               "verify_iat": False,
+                             })
 
         except jwt.exceptions.ExpiredSignatureError:
             raise ExpiredTokenError(use)