Why does the parser pass 'false' as required to the VerifyNotBefore and VerifyIssuedAt? #431

DukeLuke94 · 2025-01-16T15:24:26Z

DukeLuke94
Jan 16, 2025

If I configure the parser to validate the IssuedAt claim (with parserOptions: jwt.WithIssuedAt) and I provide a jwt token without an "iat" claim, the token is valid. Why? Because the parser passes false as required, as apposed to the other functions such as verifyAudience and verifyIssuer. What's the logic behind this?

`

if err = v.verifyNotBefore(claims, now, false); err != nil {
	errs = append(errs, err)
}

// Check issued-at if the option is enabled
if v.verifyIat {
	if err = v.verifyIssuedAt(claims, now, false); err != nil {
		errs = append(errs, err)
	}
}

// If we have an expected audience, we also require the audience claim
if v.expectedAud != "" {
	if err = v.verifyAudience(claims, v.expectedAud, true); err != nil {
		errs = append(errs, err)
	}
}

// If we have an expected issuer, we also require the issuer claim
if v.expectedIss != "" {
	if err = v.verifyIssuer(claims, v.expectedIss, true); err != nil {
		errs = append(errs, err)
	}
}

`

the-wagness · 2025-06-12T20:34:18Z

the-wagness
Jun 12, 2025

Im guessing this is a bug... I opened a PR to fix it but not sure how to get traction on it
#443

1 reply

the-wagness Jun 12, 2025

It seems a lot of the validation code was added in version 5, I've found other errors (like if you use parseUnverified it doesn't run any validation checks configured for the parser) but I dont want to fix until I figure out how to contribute here

mfridman · 2025-06-12T20:42:08Z

mfridman
Jun 12, 2025
Maintainer

This has come up a few times, have you seen this comment from another related issue?

#411 (comment)

0 replies

the-wagness · 2025-06-12T20:53:37Z

the-wagness
Jun 12, 2025

Oh interesting, I had not seen that. I will see if I can get that implemented in the way described by the ticket.. Another question about validation, is it intentional that parseUnverified skips calling Validate() (so my custom claims Validate() method does not get called if I use ParseUnverified)

…

On Thu, Jun 12, 2025 at 1:42 PM Michael Fridman ***@***.***> wrote: This has come up a few times, have you seen this? #411 <#411> — Reply to this email directly, view it on GitHub <#431 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AWNJFUYRAEJXYCJOMTAH4CD3DHQ3LAVCNFSM6AAAAABVJ4BRMWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGNBVGMZDAMY> . You are receiving this because you commented.Message ID: ***@***.***>

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Why does the parser pass 'false' as required to the VerifyNotBefore and VerifyIssuedAt? #431

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Why does the parser pass 'false' as required to the VerifyNotBefore and VerifyIssuedAt? #431

Uh oh!

DukeLuke94 Jan 16, 2025

Replies: 3 comments · 1 reply

Uh oh!

the-wagness Jun 12, 2025

Uh oh!

the-wagness Jun 12, 2025

Uh oh!

Uh oh!

mfridman Jun 12, 2025 Maintainer

Uh oh!

the-wagness Jun 12, 2025

DukeLuke94
Jan 16, 2025

Replies: 3 comments 1 reply

the-wagness
Jun 12, 2025

mfridman
Jun 12, 2025
Maintainer

the-wagness
Jun 12, 2025