In jwt/validator.go, the validation logic for IssuedAt is:
// Check issued-at if the option is enabled
if v.verifyIat {
if err = v.verifyIssuedAt(claims, now, false); err != nil {
errs = append(errs, err)
}
}
Because the last parameter to v.verifyIssuedAt(claims, now, false) is false, IssuedAt is not verified even if v.verifyIat is true.
The correct logic is to use v.verifyIssuedAt(claims, now, true).
In
jwt/validator.go, the validation logic for IssuedAt is:Because the last parameter to
v.verifyIssuedAt(claims, now, false)isfalse, IssuedAt is not verified even ifv.verifyIatis true.The correct logic is to use
v.verifyIssuedAt(claims, now, true).