Disable verifying token issued-at timestamp

PyJWT v2.8.0 verifies `iat` (issued-at timestamp) by default. There are several discussions on disabling this check, since it is not within spec. [Cognito's token verification guide](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-manually-inspect) does not suggest verifying `iat`, unlike `exp`. Other discussions: jpadilla/pyjwt#814 jpadilla/pyjwt#939
DavidLiuGit · Mar 26, 2024 · 26d0688 · 26d0688
1 parent 7c85239
commit 26d0688
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/pycognito/__init__.py b/pycognito/__init__.py
@@ -260,6 +260,7 @@ def verify_token(self, token, id_name, token_use):
                 issuer=self.user_pool_url,
                 options={
                     "require": required_claims,
+                    "verify_iat": False,
                 },
             )
         except jwt.PyJWTError as err: